Many users hope for “private surfing” protection. Because of the large amount of data flowing, Google is now being sued.
How private is private mode surfing really? The question is now also of concern to a federal court in San Jose, California. There, three private individuals filed a class action lawsuit against the US company Google via the Boies Schiller Flexner law firm. The claimant claims $ 5,000 per plaintiff, a total of $ 5 billion. The accusation: Google illegally spied on users – while they trusted to be well protected from surveillance in so-called incognito mode.
In incognito mode, users of Google’s Chrome browser can surf the company “privately” according to the company. If you open the incognito window, you can be sure that your “browser history, cookies or website data or information entered in forms” will not be saved, according to the web support of the browser. The plaintiffs allege that Google is deliberately trying to mislead its users. The company would also track searches and other information that would help identify people. The plaintiffs see this as a deliberate violation of privacy.
Misunderstanding instead of misleading
Thorsten Strufe, professor of IT security at the Karlsruhe Institute of Technology, doubts that Google’s account is a strategic misnomer. In his opinion, the reason for the problem is a misunderstanding: the phrase “incognito mode” or “private surfing” is interpreted by many users in such a way that their online activities are neither observed nor saved nor processed. A fallacy for which Google itself does not want to take responsibility. A spokesman for the company explains that the browser points out each time an incognito window is opened that clicks and other entries are not saved in the browser, but websites can still collect data.
The assumption of the users is partly correct: Those who surf “privately” leave no traces – in the browser and on their own device. In incognito mode, cookies and other activity logs on the user’s device are deleted as soon as the browser session is ended. This can be an advantage if several people share a computer in a household or at work and prefer to keep sensitive research such as symptoms of illness to themselves. Or for people who buy a gift for their partner online and do not want them to be made aware of similar offers the next time they log in. Finally, advertising tracking software remembers which products were searched for or bought from a connection and then always offers similar products.
Incognito, but not unobserved
But even in incognito mode, a lot of data still flows. “Of course websites set cookies as normal, have access to session and local storage and can use browser fingerprinting or the user’s IP address for identification,” says Johannes Caspar, Hamburg’s data protection officer. Tracking instruments such as Google Analytics or Google Ad Manager also collect data on the online behavior of individual people across websites, among other things, in order to then display targeted advertising to them. In other words: Google knows where the user has been on the net, how long they have been there, what interests them and in many cases who they are. The combination of different movement data, which is recorded online via him, enables such identification even if no specific IP address is recorded by the person. Thorsten Strufe and his research team at KIT recently discovered this in a study. Many websites work with a so-called generalization procedure, in which individual identifiable data, such as the IP address, are changed. On the one hand, this should enable analyzes, on the other hand, anonymize individuals. This mechanism is easy to bypass due to the large amount of additional information, such as those that are recorded by tracking services, and users can be identified again.
A question of transparency
The EU General Data Protection Regulation (GDPR) requires so-called purpose limitation and informed consent. Personal data may therefore not be collected and processed indiscriminately. People must be informed in advance of the purpose for which the data should serve (for example, only to analyze visits to a website or for targeted advertising). Large international corporations in particular do not offer sufficient transparency on this issue, says Müller-Quade. As a result, the “informed consent” required was not possible at all.
For those who value it to remain largely undetected in their online activities, Thorsten Strufe recommends the Tor browser, which does not send any clearly assignable user data to tracking services or servers of visited websites. In more common browsers such as Firefox or Opera, you should keep the browser default settings to prevent changes made there, for example by program installations or individual design adjustments, from drawing conclusions about the individual user. In combination with special data protection add-ons (such as anonymoX) and regular deletion of cookies, this can help to remain anonymous.