Google’s legal troubles continue as a class-action lawsuit has been filed in California alleging that the company violated federal wiretap laws by collecting data when users were in “private browsing” mode. The suit also cites privacy violations under a California law that requires both parties to give consent to have any private communications monitored.
The alleged Google privacy violations
The lawsuit centers on “incognito mode” in Google’s Chrome browser, which is supposed to protect the user’s privacy. Though this mode prevents browsing history, cookies and the content of forms from being saved to the local device, it does not necessarily keep it private from Google or prevent third-party privacy violations. The lawsuit is alleging that Google intercepts search queries, browsing history, specific website URLs, IP addresses, and browser and device information among other pieces of private and personally identifiable data.
Google claims that it warns users that this sort of data may be visible to third parties on the internet even if incognito mode is activated; this appears to be true on the company’s support page, though it does not specify that Google cannot see or does not log the information. In a statement in which it said that it would “vigorously defend” itself from the claims, a Google spokesman also said that Chrome relays a similar message to the user every time users open a new incognito mode browser tab.
The New York Times reports that the private browsing lawsuit was initiated by three people with Google accounts: Chasom Brown and Maria Nguyen, both of Los Angeles, and William Byatt, a Florida resident. The proposed class action suit claims that end users have a reasonable expectation of privacy when using a private browsing mode, and that Google “intentionally deceives” consumers about the level of control they have over how much personal information the company retains.
Should Google be found liable, the company could potentially be on the hook for about $5 billion in fines for privacy violations involving hundreds of millions of Chrome users. The period of eligibility would date back to June 1 2016.
How private is Chrome’s “private browsing”?
The crux of the lawsuit is Google’s loosely affiliated suite of various analytics and advertising tracking tools, which are one of the company’s primary revenue streams.
Tools such as Google Analytics and Ad Manager collect information from all internet users that visit the sites they are installed on, even those that do not browse the internet with Chrome or do not have Google accounts. The tracking is more personal and detailed for Chrome users, however, as they are prompted to associate a Google account with the browser.
Chrome gives Google a clearer link between the end user and their web activity, even if they are not using a personally identifiable Google account. The company logs information on user preferences based on websites that are visited and links that are clicked, and even the contents of search fields that are filled out. Private browsing mode does not protect the end user from any of this.
In addition to all of this, Chrome’s incognito mode has a long-running API bug that allows third-party websites to recognize when a user has private browsing enabled. The issue persists in the recent release Chrome 83.
What do the laws say about the alleged privacy violations?
The suit claims that Google is violating the Federal Wiretap Act on the basis of failure to collect the consent of the end user. It asserts that Google’s requests for these pieces of personal information are done not just without consent, but without even adequately notifying the end user that the communication is taking place. It points out that elements like Google Analytics and Ad Manager are generally invisible to the end user without digging into the HTML code of the web page, and that Google does not require that the presence of these elements be disclosed by individual sites that partner with them. Private browsing mode also does nothing to provide any added information to the end user.
The state-level privacy violations charge is under the California Invasion of Privacy Act (CIPA), which also requires the consent of all parties for any private communication to be intercepted or recorded. The case here is similar, alleging that private browsing mode creates a false sense of security and that consent cannot be obtained if the end user is not fully informed of what is happening in the background.
Google has faced similar charges of privacy violations before in the EU. The company’s record-breaking €50 million fine for violating the terms of the GDPR was upheld based on similar elements: the fact that the company did not obtain clear consent from the end user and did not make its actions transparent enough to them. The enforcement agency in that case cited too many confusing multi-part steps in obtaining full information about how browsing activity was being handled, and pre-selecting privacy options that required users to proactively opt out of them to have their data protected. While EU rulings on privacy violations obviously cannot be applied to cases in United States court, it is not a precedent that bodes well for the tech giant.