Google has been sucking up consumer data in surprising ways—such as when browsers are in “incognito” mode—according to a new report.
The study, from Vanderbilt University and released Tuesday, analyzed how data is gathered from all Google products, including Android mobile devices, Chrome web browsers, YouTube and Photos. In addition to incognito data collection, the study also looked at how Google Photos generates consumer data, the depth of the service’s location tracking and more.
Many users assume that when they’re in the incognito setting, their online footprints are hidden. But Google could retroactively link the private browsing to specific consumers, the report says.
As the reports puts it: “While such data is collected with user-anonymous identifiers, Google has the ability to connect this collected information with a user’s personal credentials stored in their Google Account.”
Here’s how it works: A person fires up a private browser session in Chrome. On websites that run ads from Google’s online ad marketplace, anonymized cookies are dropped on the browsers associated with the user. If the same person leaves private browsing mode and logs into a Google service like Gmail or YouTube, the act of signing into Google makes it possible to connect the earlier web activity to the now identified user. (Unless, that is, the cookies expired or were manually deleted by the user.)
“That’s not well understood by consumers,” says Douglas Schmidt, author of the study and computer science professor at Vanderbilt University. “But if you read the fine print on ‘incognito’ mode it brings up a whole lot of disclaimers.”
Google did not immediately respond to requests for comment about the report.
The study could not tell if Google takes the steps necessary to link the anonymous data from private browsing to the de-anonymized data when the person logs into its services.
“Google collects all the information necessary to make that connection,” Schmidt says. “It would give them a relative advantage to anyone else who can’t do that correlation.”
“If a user is ‘incognito’ they think they’re being as private as possible, and they’re not realizing they gave that all up because they logged in,” says Jason Kint, CEO of Digital Content Next, a trade group known for its opposition to the major internet companies’ online dominance, and which is helping to circulate the study. “It’s reasonable to think the average user does not expect that to be happening.”
The study also says that Google gets a sense of a person’s location every time they log into WiFi or their phone pings a cell tower and that this, in turn, can even help it figure out a person’s mode of transportation.
“Google can ascertain with a high degree of confidence whether a user is still, walking, running, bicycling, or riding on a train or a car,” the report says. “It achieves this by tracking an Android mobile user’s location coordinates at frequent time intervals in combination with the data from onboard sensors [such as an accelerometer] on mobile phones.”
Google Photos is another vast reservoir of data thanks to image recognition, according to the report. By default, Google analyzes photos and detects landmarks, logos, animals and other features, and it even registers the emotional state of people’s faces.
“Google’s face detection capabilities even enable the detection of emotional states associated with faces in photos,” the report says.
The report was particularly concerned with the amount of “passive data” collected by Google, which refers to information being gathered mostly without the consumers realizing it, such as through ads and third-party web and app activity not directly owned by Google. The report claims two-thirds of data collected by Google would be considered “passive.”
“While such information is typically collected without identifying a unique user,” the report says, “Google distinctively possesses the ability to utilize data collected from other sources to de-anonymize such a collection.”
The study comes just as lawmakers in Washington consider more stringent privacy regulations. The EU already enacted its stricter General Data Protection Regulation in May, and Facebook and Google are facing similar pressure in the U.S. to account for how they track consumers online.
In April, Facebook CEO Mark Zuckerberg testified to Congress about Cambridge Analytica, the third-party data firm that was accused of misusing data on 87 million Facebook users to unduly influence elections in the U.S. And U.K.
A major concern of some U.S. lawmakers during those hearings focused on how Facebook tracks consumers that don’t even use its services by gathering data through third-party websites with Facebook “like” and “share” buttons.
The Vanderbilt report raises similar questions about Google. There are 15 million websites using Google’s ad services and 30 million use Google Analytics, which is the platform that lets them track traffic and other site performance metrics. Also, Chrome accounts for 60 percent of all web browsing with a billion monthly users, the report says.
An Associated Press report just last week showed how the company can record people’s locations even when they turn off location tracking in their settings. Google is still able to log a person’s location through its phones and other devices when a person fires up Google Maps or searches weather, the AP reported.