banner

Fun fact: over half of internet users believe that Incognito Mode prevents Google from seeing their search history.

Another fun fact: 37% think it’s capable of preventing their employer from tracking them.

The truth? It actually does neither of those things.

In fact, Google collects so much data on its users that it’s become the subject of multiple lawsuits in recent years – the latest being a class-action lawsuit that could potentially cost the company billions of dollars. It alleges that Google illegally collected user data while they were browsing in Incognito Mode and used it to target them with ads.

In this article, we’ll take a look at the specifics of the lawsuit, the true breadth of Incognito Mode, and what it actually does (and doesn’t) protect.

More About the Lawsuit

Originally filed in June 2020 by law firm Boies Schiller Flexner LLP, this latest class-action lawsuit is officially seeking at least $5 billion in damages on behalf of its clients. It accuses Google’s parent company Alphabet of covertly collecting users’ information, including details about what they browse and view, under false pretenses of privacy with Incognito Mode.

The plaintiffs, all of whom are Google account holders, say that the search engine collected, distributed, and sold their personal data for targeted advertising purposes, even in Incognito Mode. They allege that although being led to believe their activity was private, Chrome still tracked their online behavior via Google Analytics, Google ‘fingerprinting’ techniques, Google Ad Manager, and concurrent Google applications on their devices. These technologies are very common throughout the internet – apparently, more than 70% of all online websites use one or more. Google’s reported ability to use them for the collection of consumer data – even in Incognito mode – means that the search engine can bypass any privacy safeguards consumers might reasonably expect.

Lawyers say they have a large body of evidence supporting their argument that Google intentionally misled its users regarding the feature’s security. Among the most damning are several internal emails that show executives were directly aware of misconceptions surrounding Incognito and specifically chose not to act.

The emails, which were released as part of the court process, clearly illustrate multiple attempts by employees to raise concerns about the issue with their superiors. Some show that staff actively joked about the fact that Incognito didn’t provide privacy, while others highlighted criticism towards Google’s approach to protecting user data.

The most telling though, include multiple emails between top company executives that prove this issue was known about at every level. A 2019 message from Google’s Chief Marketing Officer Lorraine Twohill to CEO Sundar Pichai explicitly reads that Incognito is “not truly private” – as clear of admission as you could get.

In addition to emails, the released court documents reference multiple internal presentations that further acknowledge Google’s awareness of Incognito’s privacy problem. One states that users “overestimate the protections that Incognito provides”, and another proposes removing the word “private” from its start screen altogether.

Essentially, what the lawyers are arguing with this evidence is that not only were top Google execs aware of users’ misconceptions about their privacy on Incognito but specifically chose not to act in favor of sustaining ad profits.

Of course, Google refutes all of the claims against it, stating they have been upfront with its users all along and those plaintiffs of this lawsuit have “purposely mischaracterized” their statements. The tech giant’s lawyers moved to dismiss the case 82 times in 2021, each of which was ruled against, allowing it to get to the certification process we’re at today. Google was also ordered to pay almost $1 million in legal penalties this past July for failing to disclose evidence in a timely manner.

A Growing Problem

This is by no means the first lawsuit Google has faced in recent years. As a matter of fact, its legal department is currently juggling tens of active cases, the plaintiffs of which range from the States of Texas and Washington to the District of Columbia, the Republican National Committee, Video game maker Epic, and dating app company Match Group. The search giant is also in the middle of issuing settlement payouts to several recently wrapped cases, including one of $85 million to the State of Arizona and another of $391.5 million to a 40-state privacy coalition.

But this new lawsuit in particular may be the biggest Google’s ever dealt with – the class-action initiative represents millions of individual users and is fighting for payouts of between $100 and $1,000 to every single one of them. You don’t need to be a genius at math to figure out this could easily rack up to billions of dollars in damages.

The plaintiffs’ lawyers are currently working on getting the case certified, which would move it one big step closer to an actual trial. And if Google does end up losing in court, it may not have any choice but to start writing very large checks.

Understanding ‘Incognito Mode’

Fully understanding this recent lawsuit and the implications it has for Google comes down to understanding Incognito Mode itself and the role it plays in user privacy.

Incognito Mode is a feature on all major browsers (Chrome, Edge, Safari, Firefox, etc.) that allows users to browse the internet without saving any local data to their device. This includes things like cookies, browsing history, and form autofill information. Essentially, it’s a way to ensure that your internet activity can’t be traced back to you or your device once you close the window.

While this sounds like a fool-proof way to browse privately, the reality is that Incognito Mode only offers what’s called “local privacy”. This means that while your internet service provider (ISP) and the websites you visit can’t track what you’re doing, any software you’re using can – including Google.

By definition, the word “incognito” means to disguise or conceal one’s identity.

The biggest problem Google’s Incognito Mode has faced over the years is the degree of purported concealment it really offers users. From a broad perspective, most people believe that the feature makes their online activity invisible, which as we’ll go on to establish in the next section, isn’t true. Its claims, nature, and name all lure users into a false assumption of security – leading to accusations of privacy violations and lawsuits when the true scope of Incognito’s visibility is revealed.

Does ‘Incognito Mode’ Really Protect Users’ Privacy?

So, does Incognito Mode really protect Google users’ privacy? The answer may depend on what you consider private information.

Industry experts explain that private browsing modes like Incognito are designed to safeguard customer activity on a very basic level. They’re mainly meant to keep your browsing history clean in cases where you share a computer with others. Effective at keeping the secret of what you’ve bought your partner for Christmas, but not protecting data regarding your online activities, interests, and behaviors.

To offer more concise answers, we’ve broken down the exact things Incognito officially does and doesn’t collect when you open a window:

What ‘Incognito Mode’ Does Protect

Incognito Mode isn’t completely pointless – it protects multiple facets of online user activity, including the following.

Browsing History

Browsing history refers to the list of web addresses conventional search engines automatically collect when you use your computer. The feature mainly exists for convenience, allowing you to quickly revisit websites without having to remember the URL. While this is useful in some cases, it can also be a major invasion of privacy, especially if you frequently visit sites other people might find controversial or sensitive. Browsing history is one aspect of online activity that Google explicitly promises not to save when you use Incognito Mode.

Cookies

A cookie is a small piece of data that’s stored on your computer or mobile device whenever you visit a website. Its main purpose is to remember information about you, such as your login details, language preferences, and items added to your shopping cart. Cookies can make the online experience more convenient, but they also allow companies to track your movements across the internet – even when you’re not using their specific services. Google will still place cookies on your device while you’re in Incognito Mode, but they’ll automatically be deleted as soon as you close the window. This means that any information these cookies collect about your online activity can’t be used to identify you at a later date.

Download History

Download history is a record of every file you’ve downloaded while using Chrome. Like browsing history, this feature is designed for convenience, allowing you to quickly access files without having to search for them on your computer. However, it also represents a significant invasion of your privacy, as it can be used to track the types of files you download, where you download them from, and what you do with them after they’re on your device. Google doesn’t save your download history when you use Incognito Mode, meaning that any files you download while in this mode can’t be traced back to you.

Search History

Search history refers to the terms you’ve entered into Google’s search engine, as well as the results pages you’ve accessed through these searches. Like cookies, search history is used to tailor your future experience of the internet, serving you more relevant results and ads based on your previous behavior. Google doesn’t save your search history when you’re in Incognito Mode, meaning that your future searches won’t be influenced by the terms you enter while in this mode.

Site and Form Data

Site and form data is information like usernames, passwords, addresses, and preferences that you’ve entered on specific websites. This data is generally stored in cookies, but can also be saved in your browser’s cache – a temporary storage space for frequently accessed files. Google doesn’t save site data when you use Incognito Mode, meaning that any information you enter on websites while in this mode can’t be accessed or used at a later date.

As mentioned earlier, these capabilities are mainly designed to conceal your local browser history, mainly to keep others from snooping on your browsing or download habits. However, they do little to actually protect your anonymity online – for that, you’ll need to use tools like VPNs. 

What ‘Incognito Mode’ Doesn’t Protect You From

While it delivers some value, Google Incognito Mode doesn’t go as far in protecting users’ privacy as many think. The following are just some of the ways in which your activity can still be monitored and recorded while using this feature.

Google

Based on the lawsuit discussed in this article, Google’s core web tools – including Analytics and Ad Manager – still track and collect data from users in Incognito Mode. While this information can’t be used to personally identify you, it can be used to build up a detailed profile of your web activity, interests, and habits.

Employer or School Networks

If you’re using a work or school computer, it’s likely that your employer or school has installed monitoring software that allows them to track your activity, even in Incognito Mode. This software can record the websites you visit, the files you download, and the searches you perform, meaning that your employer or school will still be able to see what you’re doing online, even if Google can’t.

Your ISP

Your internet service provider (ISP) can still see the websites you visit while you’re in Incognito Mode. They can also track the amount of data you’re using and the time you spend online. This information can be used to deliver targeted ads and content and can even be sold to third-party companies. The best way to hide online activity from an ISP is to use a Virtual Private Network (VPN) service, which will encrypt your traffic and prevent your ISP from being able to track it.

Malware

Malware is malicious software that can be installed on your computer without your knowledge. Once it’s in place, it can be used to track your activity and collect sensitive information, even when you’re in Incognito Mode.

Government Surveillance

While Incognito Mode can help to protect your privacy from snooping on family members or roommates, it won’t do much to shield you from government surveillance. If the government is monitoring your activity, they’ll still be able to see the websites you visit and the searches you perform, even when you’re in Incognito Mode.

While it has yet to be officially labeled a ‘dark pattern’, Google’s Incognito Mode is likely in store for further controversy in the years to come. For now, it’s important to be aware of the limitations of this privacy feature and to use other tools – like VPNs – to ensure that your activity is truly private and anonymous. Speaking of data privacy and protection, our solutions Tokenizer+, Redactor+, and Secrets+ can improve your security framework and protect your organization from potential cyber threats. Contact us today for more information.