Google loses bid to throw out ‘Incognito’ lawsuit, placing private browsing under scrutiny
After a judge earlier this week denied a request from Google to put an end to a $5 billion consumer privacy lawsuit, lawyers and privacy experts say the tech giant will now have to gear up for what might be a long battle that gets to the core of so-called private browsing — and whether it is as private as consumers have been led to believe.
Google’s privacy policies are unclear and the protections given by its Chrome Incognito browsing product are not as robust as portrayed, according to a California judge, who ruled Monday that a class-action lawsuit against Google may proceed.
Plaintiffs say Google violated the privacy of millions, arguing that it obscures the fact that it can track users even when they are privately browsing in Incognito mode.
The allegations don’t surprise many internet experts.
Several studies conducted in recent years have shown that most people don’t understand that private browsing is not really private, said Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), an independent research institute affiliated with the University of California, Berkeley.
“Many people think that it's offering protections that it does not offer, and that can be really dangerous,” Egelman said.
He added that because it is very well-known in tech circles that users widely misunderstand the security of private browsing, Google has “some duty” to more clearly communicate the reality to customers.
Incognito mode may reset tracking cookies for users who close their browsers in between sessions, he said, but other information that's collected such as IP addresses and information about your browser can be used to construct what's known as a fingerprint, which relies on data gathered to create a unique identifier which can track users over time, he said.
“Companies like Google, while their cookies might get deleted, there's other information that still gets sent to them, regardless of whether or not the user is using the incognito mode that still might allow the site to identify them,” Egelman said.
The judge’s order, which dismissed Google’s motion for a summary judgment, means plaintiffs will either settle or head to trial with their claims that Google covertly tracks Incognito mode users in contrast to what most users believe thanks to mixed signals from Google on private browsing practices.
The judge’s apparent focus on the “net impression” of Google’ statements and images disseminating Incognito to consumers is noteworthy, said Jessica Rich, a former director of the Federal Trade Commission’s Bureau of Consumer Protection and now an attorney in private practice at Kelley, Drye and Warren LLP. Rich pointed out that the judge’s lens in that regard is similar to how the FTC would weigh a deceptive practices finding.
“Those statements and images include the name Incognito, the visual effects when users navigate to Incognito mode, and the privacy policy, which the court concluded failed to explain or alter the impression created by the name and visual effects,” Rich said via email.
When users go “incognito” they are met with a black screen and a logo appearing to be an anonymous man, which the judge’s order referred to as a “spy guy icon.”
“Another way to look at it is that the judge had little tolerance for what she viewed as a confusing privacy policy and made her decision based on the overall impression she believed Google created in marketing and offering the service,” Rich added.
Indeed, California federal judge Yvonne Gonzalez Rogers said in her order that the way Google presents Incognito mode could be “read to contradict its suggested interpretation of the Privacy Policy.”
The judge focused in part on how she said Google appears to confuse users by portraying Incognito mode as a distinct offering without clearly articulated privacy terms for the service.
"Google itself created a situation where there is a dispute as to whether users' consent of Google's data collection generally is 'substantially the same' as their consent to the collection of their private browsing data in particular," Gonzalez Rogers wrote in her opinion.
The judge pointed to plaintiffs’ evidence showing that Google stores and mixes regular and private browsing data in the same logs and leverages those mixed logs to send users personalized ads.
“Even if the individual data points gathered are anonymous by themselves, when aggregated, Google can use them to ‘uniquely identify a user with a high probability of success,’” the judge wrote.
Google said it strongly disagrees with the judge’s decision.
“Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device,” spokesperson Jose Castañeda said via email. “As we clearly state each time you open a new Incognito tab, websites might be able to collect information about your browsing activity during your session.”
Google has argued that its private browsing terms are clear, but Bonnie Patten, executive director of the non-profit consumer advocacy organization Truth in Advertising, said Google had a responsibility when marketing Incognito to disclose “material terms that were not self-evident to a reasonable consumer.”
“If we look at the way they displayed and featured their Incognito service, it's quite clear that it doesn't say, ‘and by the way, we're going to be accessing all your data,’” Patten said.
While the case may well get settled without Google having to substantially change its practices, Patten said the value of consumers being educated through press reports can’t be underestimated. And Google may be pushed to clarify their policies as a result of the public pressure stirred up by a settlement or court decision.
Another valuable discussion to emerge from the case stems from Gonzaelz Rogers' focus on the value of consumer data, Patten said.
The judge’s order underscores that Google piloted a program paying users $3 a week to track them, a fact she used to argue that there is a market for consumer data which Google profited from in improperly capturing Incognito browsing histories. Gonzalez Rogers wrote that given this pilot “a remedy based upon unjust enrichment may lie.”
Platforms have historically argued that consumers are not harmed when Facebook or Google misappropriate data, Patten said. This judge’s order is important for quantifying how that is untrue, she said.
“The court did a good job in saying that the breach in and of itself is an injury that is of value,” Patten said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.