Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement
2.4.24 Security The Hacker News
Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser.
The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "incognito" or "private" mode on web browsers like Chrome.
In late December 2023, it emerged that the company had consented to settle the lawsuit. The deal is currently pending approval by the U.S. District Judge Yvonne Gonzalez Rogers.
"The settlement provides broad relief regardless of any challenges presented by Google's limited record keeping," a court filing on April 1, 2024, said.
"Much of the private browsing data in these logs will be deleted in their entirety, including billions of event level data records that reflect class members' private browsing activities."
As part of the data remediation process, Google is also required to delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing User-Agent strings, and remove detailed URLs within a specific website (i.e., retain only domain-level portion of the URL).
In addition, it has been asked to delete the so-called X-Client-Data header field, which Google described as a Chrome-Variations header that captures the "state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation."
This header is generated from a randomized seed value, making it potentially unique enough to identify specific Chrome users.
Other settlement terms require Google to block third-party cookies within Chrome's Incognito Mode for five years, a setting the company has already implemented for all users. The tech company has separately announced plans to eliminate tracking cookies by default by the end of the year.
Google has since also updated the wording of Incognito Mode as of January 2024 to clarify that the setting will not change "how data is collected by websites you visit and the services they use, including Google."
The lawsuit extracted admissions from Google employees that characterized the browser's Incognito browsing mode as a "confusing mess," "effectively a lie," and a "problem of professional ethics and basic honesty."
It further laid bare internal exchanges in which executives argued Incognito Mode shouldn't be called "private" because it risked "exacerbating known misconceptions."
The development comes as Google said it has started automatically blocking bulk senders in Gmail that don't meet its Email sender guidelines in an attempt to cut down on spam and phishing attacks.
The new requirements make it mandatory for email senders who push out more than 5,000 messages per day to Gmail accounts to provide a one-click unsubscribe option and respond to unsubscription requests within two days.