In 2020, a class action was filed against Google for $5 billion, claiming that Google Chrome was collecting data from its users without consent during incognito browsing. On December 28, Google settled the lawsuit for an undisclosed amount.
While not much is known about the proceedings, available documents suggest that the California court found that Google presented Chrome’s incognito mode in a confusing and potentially deceptive way. These documents are interesting and worth glancing through!
Exploiting ambiguity
The most comprehensive source of information on the case is the District Court of Northern California’s decision to deny Google’s motion for a summary judgment. There’s a lot of legalese about harm and breach of contract, but the really interesting part is the Court’s assessment of the claim that Google did not supply clear enough information on how Incognito Mode works.
It is worth highlighting that the Court did not ultimately adjudicate the claims; it only ruled that they did not appear without merit. Still, the reasoning is worth analyzing.
Google claimed that the disclosures of personal data were clear from the Incognito mode splash screen:
While the information provided by Google is accurate, the presentation of Incognito mode- along with a “spy guy” icon- can deceive the end user as to what Incognito mode actually does, as noted by the Court.
Google’s privacy policy also mentions Incognito browsing as a way to “manage your privacy” in Incognito mode, further adding to the confusion. Last but not least, the splash screen conveniently omits that online activity is visible to Google itself and only mentions websites, ISPs, and network owners.
According to the Court, Google knew that consumers misunderstood what Incognito mode does. In other words, the company was aware of the ambiguity and took advantage of it.
Google’s strategy of ambiguous communication is evident from the splash screen itself. While not incorrect, the information is unnecessarily dubitative and impersonal in tone. “Your activity might be visible to websites” is a correct but heavily sugar-coated statement. “Google tracks you while you browse in Incognito mode” would get the point across much better.
This strategy of ambiguous communication fits a general trend of taking “technically true” statements and sugar-coating them to the point where they become misleading.
Google’s mantra that it does not sell personal information is another of Google’s sugar-coated half truths.
This is technically correct: you cannot pay Google to disclose personal information. But the company discloses plenty of personal information to third parties and plays a crucial role in the RTB system, a.k.a. history’s largest and still ongoing data breach. It also profits from this disclosure system.
From a practical viewpoint, it is entirely irrelevant that these disclosures are not a sale in a strict legal sense. Privacy-wise, we would all be better off if Google sold personal information rather than disclosing it to hundreds of unaccountable third parties with every single ad exchange.
Placebo buttons
Most of the close door buttons in elevators do nothing. They are a placebo that gives you a reassuring sense of control over the door.
Chrome’s Incognito mode is one of the many placebo buttons of digital privacy, and there are many more. Some of them outright lie to users while others- like Incognito mode- take advantage of ambiguous communication. Either way, these placebo buttons trick users into a false sense of security.
Google’s location settings are another placebo button. The company has a history of deceiving users on how location data are processed, leading to countless lawsuits. Hardly a day goes by without Google reaching an eight or nine figures settlement over location tracking in some US Court. This deception is based on complicated, confusingly worded privacy controls that give the user a sense of security but change little or nothing in the way Google processes location data.
Meta’s ad-free subscriptions are a placebo button as well- and one you pay for!
Regardless of its claims, Meta still profiles paid users to better target them with content- and gets paid for it by content creators who are trying to build or expand their audience. This is not technically targeted advertising because Meta serves content, not ads. But it is similar enough and equally invasive.
Update
We have some good news: according to the CNN, Google also agreed to delete billions of data records as part of the settlement. As of April 2024, the amount of the settlement is still unkown,
Final Thoughts
It is not just Big Tech, either. Many websites worldwide write cookies regardless of user choice but still display a cookie banner to give an illusion of choice.
It is about time we wise up to the trick and demand privacy buttons that actually work.
Stuff like this is the reason we started building real privacy-friendly products such as Simple Analtyics. We believe in an independent internet where visitors are treated fairly. If this resonates with you, then feel free to check out what we are building here.