The Lone Star State is coming for Incognito mode.
In a petition filed Thursday that piggybacks on a previous lawsuit against Google, Texas Attorney General Ken Paxton described the so-called “private” search setting as misleading and “deceptive” because of its location tracking.
Pulling out his dictionary, Paxton takes issue with Google’s very use of the term “Incognito” which he says an everyday Texan would interpret to mean having “one’s identity concealed.” That’s also Merriam-Webster’s interpretation.
“Google’s representations about Incognito mode are false, deceptive, and misleading,” the suit reads. “Not only do users not know that Google is able to and does collect data on them during private browsing, users effectively have no way to avoid much of Google’s data collection practices.”
Incognito browsing hides your search history from other people using your device. It doesn’t actually stop Google or its advertiser friends from logging and profiting off your search history. So does Paxton, an idiot election denier who’s been under indictment for seven years, have a point?
A Google spokesperson denied his claims and pushed back in an email sent to Gizmodo.
“The Attorney General’s case is, once again, based on inaccurate claims and outdated assertions about our settings,” the spokesperson said. “We have always built privacy features into our products and provided robust controls for location data. We strongly dispute these claims and will vigorously defend ourselves to set the record straight.”
The amended lawsuit rails against Google for allegedly deceptively capturing user data while they surf in Incognito mode. “Google does this,” the suit reads, “despite repeatedly assuring Texans that they have control over what information generated during an Incognito session is shared with Google and others.” For what it’s worth, Google does explain some of these details when you launch Incognito, but only after you click on a “learn more” link and click again on another dropdown menu.
According to Paxton, Google “deceptively represents that Incognito Mode allows Texans to control what information Google sends and collects.”
Paxton shits out lawsuits and investigations at an astounding clip. Many of them jockey between absurdity, cruelty, and stupidity. He sued to overturn the 2020 election in Donald Trump’s favor, alleging an “overthrow” by Joe Biden. The state’s bar is suing him for it. He’s been under indictment since 2015 on felony fraud charges pertaining to his stock trades and investments. You can see nightmarish half-smiling mug shot here (trigger warning). He’s ordered DirecTV to keep the election-denying cable channel One America News on air, or else. In this suit against Google, he’s clearly trying to curry favor with the Republican base by appearing hard on the liberal specter of Silicon Valley, as evidenced by the hashtag #BigTech in a Thursday tweet from his office. At the same time, he sued Meta earlier this year over Facebook’s facial recognition software, claiming the service violated Texas privacy laws. He’s spearheaded an antitrust suit against Google, alleging the company illegally used its marketplace power to control the way online ads are priced, an accusation similar to the animus behind bipartisan legislation now poised to hit the Senate floor. And that’s just one of five suits he’s filed against Google.
So on the Incognito issue, does Paxton have a point? Privacy experts and researchers who spoke to Gizmodo say: definitely.
To get a sense of whether or not Paxton is totally full of it or not, Gizmodo spoke to Electronic Frontier Foundation Staff technologist Bennett Cyphers. While Cyphers couldn’t vouch for all of the AG’s specific claims, he agreed that Google’s privacy claims around Incognito are misleading.
“For a user who is not that sophisticated, or even moderately sophisticated, it’s really difficult to understand how many different ways data can be gathered about you on the web.” The nuances involved in parsing through all those techniques risk getting washed away by simply referring to the setting as “Incognito.”
“Private modes in web browsers were never designed as a general privacy fix. In practice, they offer very little,” independent cybersecurity and privacy advisor Lukasz Olejnik told Wired in 2019. Olejnnik says user data generated on private browsing and regular sessions are tracked in the same way. Third-party sites can also detect whether or not a user is using private browsing. That, Olejniks says, is why paywalled news sites like The New York Times or Wired can still tell when an Incognito reader has blown through their last free article. Even if you’re just using private browning to secretly watch videos (😉) on a shared device, researchers say someone with enough motivation could still find traces of that browsing history on the machine’s hard disc and memory.
EFF’s Cyphers criticized Google, which possesses the overwhelming majority of browser market share with Chrome, for doing what he sees as considerably less for privacy than other companies.
“Google has more resources than anyone else to build a sophisticated private browser but their idea of a private browsing mode is a lot less sophisticated and nuanced than their competitors,” Cyphers said. He pointed to Safari and Firefox as examples of alternative browsers with more tailored methods that are preferable to Google’s approach of blocking all third-party cookies.
“Your private browsing mode only blocks your own browser from recording your traffic and it doesn’t hide your IP,” Nord Virtual Private Network’s Daniel Markuson writes. “It doesn’t encrypt or route your traffic via remote server the way a VPN does. It only erases your browsing history, deletes cookies when you close the browser, and removes the data you enter in online forms. Your ISP, your employer, websites, search engines, governments and other third-party snoopers can still collect your data and track your IP address.”
None of this may come as much of a surprise for regular Gizmodo readers, but it’s not necessarily obvious for the majority of Chrome users who don’t have the time or interest in digging under Incognito’s hood. A 2018 study conducted by researchers at the University of Chicago and the Leibniz University of Hanover tackled the issue and found rampant misunderstandings of what Incognito and other private browning tools do and don’t do. 56.3% of participants in that study believed Incognito prevented Google from seeing their search history (it doesn’t), while 37% said they thought Incognito could prevent their employer from tracking them (it can’t). Roughly a quarter thought using Incognito would somehow offer them greater protection against viruses and malware (again, no).
“Google offers a pretty decent, dumb way to protect your privacy but it’s not very sophisticated and misses a lot of ways trackers can still collect data and will break functionality on sites that don’t have to be broken if they would have taken a more targeted and sophisticated privacy-protecting approach,” Cyphers said.
If throwing Ken Paxton a bone makes you want to lose your lunch, we get it. It’s worth noting, though, that he’s not the only one taking Google to court over Incognito. Google was sued in 2020 as part of a class-action lawsuit accusing the company of invading millions of users’ privacy by tracking them while they used Incognito Mode. The lawsuit, which seeks a minimum of $5 billion in damages, claims Google intentionally deceived its users regarding Incognito’s functionality. Google CEO Sundar Pichai was reportedly warned against referring to Incognito as private back in 2019, but he continued to do so anyway. Google tried to kill the case, but last March, a U.S. District Court judge said that the company “did not notify users that Google engages in the alleged data collection while the user is in private browsing mode.” A broken clock like Ken Paxton is right twice a day. Put a more Texan way: even a blind hog can still sniff out a truffle or two.
In terms of what Google can do better, EFF’s Cyphers said Google could improve Incognito by following Firefox’s lead and adopting a tracker blocking list, moving to restrict some first party cookies, and taking more active anti-fingerprint measures. “Basically just try harder,” he said. Even if all of those steps are achieved, though, Cyphers says Google’s ad-based business model inherently runs up against its privacy commitments.
“The best thing Google can do is spin off their advertising business into a separate company so there’s not a tremendous conflict of interest at the center of its business model,” he said.