Server logs with IP addresses are acceptable to most European privacy regulators if you only use them for a technical purpose such as debugging. And not keep them longer than needed for that.
So practically: logs are fine, delete them after a while. If you store the same information in a permanent database and use it for analysis you're in trouble and should have asked permission.
The fact that the user uses a private window or other means to indicates they don't want to be tracked probably makes this a more clear case.
> The fact that the user uses a private window or other means to indicates they don't want to be tracked probably makes this a more clear case.
That’s a very confusing statement. My server logs don’t filter incoming log entries based on user agent, and certainly not on whether you’re using a “private window” or not.
In addition, the goal of a private/incognito session is to be indistinguishable from regular sessions, otherwise websites can easily discriminate against private sessions (which they’re already trying as hard as they could).
Edit: Wow the number of people on this thread claiming websites should be able to opt people out of logging based on whether they’re using a “private window” (which websites should have absolutely no idea about) makes me question if I’m even on Hacker News.
Edit 2: Chrome sends an X-Client-Data header (which in a sense includes an installation ID, but allegedly has limited entropy) to certain Google properties, and rightfully got a lot of flak for it. It does not do so for incognito sessions. And now we have people arguing that Google should de-incognito incognito sessions to their analytics properties. Crazy stuff.
> Wow the number of people on this thread claiming websites should be able to opt people out of logging based on whether they’re using a “private window” (which websites should have absolutely no idea about) makes me question if I’m even on Hacker News.
Especially since "Websites shouldn't be able to tell if you're in incognito mode" has been highlighted in the past as a privacy ask, yes.
People can at least agree "website shouldn't be able to tell if you're in incognito mode" and "website should not track you if you are in incognito mode" are two mutually exclusive features, right?
How about: "Websites shouldn't do digital fingerprinting to intentionally circumvent incognito mode." Does this make sense to you as a legal argument?
And yes, this does mean that if it comes to litigation, a lot of this will depend not just on what you did but why you did it.
If you write analytics, unaware of incognito mode, you're probably okay.
If you write that same exact code because your boss comes in and says "shad, we're losing A LOT of user data to users in incognito mode. Could you do some kind of digital fingerprinting so we can still track them?" then you might be criminally liable for digital trespass -- you've intentionally bypassed my security mechanism.
That's the kind of feel-good law that ends up very unenforceable because it ignores technical reality. Not a fan.
If the exact same action does the exact same harm and is legal or illegal based on intent, enforcing that law is going to enrich a lot of lawyers but isn't going to practically rope in many company's behaviors.
That's not a proposal for a law. I'm not arguing about how the law ought to work. For better or worse, that's a description of how the legal system in the US works RIGHT NOW.
And yes, it does enrich a lot of lawyers.
Look up the CFAA cases, for a great set of example of how these laws can explode in this exact domain -- people charged with digital trespass who bypassed no or minimal technical measures. And it doesn't feel good either in most of those cases.
To be frank, though, if this gets applied to Google, it will feel pretty good.
Correct; it does not. Which is why steps were taken to minimize remote servers' ability to use secondary signals (such as access to localstore APIs) to make an educated guess about whether the user was operating in incognito mode.
It's not me who doesn't know how it works; it's the people who think "New York Times shouldn't be able to whine at you if you're in incognito mode to go buy a subscription" and "servers should be required to modify how they handle your traffic if you're in incognito mode" are compatible protocol features.
Detecting when users of any browser are using Incognito mode goes against the spirit of privacy, even if it’s not being done to directly track people as such, and any information that some browsers share and others don’t helps add to a browser’s fingerprint.
But you're not using the IP addresses in the logs to circumvent the fact that cookies are being deleted by your user's device right? Because it looks like that's what Google was doing, and that's actively circumventing the decision of the user not to be tracked which is illegal in many places.
I don’t use GA on my own websites, or analytics cookies, or tracking pixels, or whatever. But I sometimes use goaccess on my server logs which tells me the number of unique visitors (based on unique IPs) and such. Whether they visited in private sessions or not, of course. So I guess in a sense I’m “tracking” them through logged IP addresses, but it’s completely orthogonal to whether incognito mode is on.
My interpretation of this article is it's related to incognito mode.
How is it circumventing a "decision of the user not to be tracked" when "private" modes usually explicitly state they can't/don't stop websites from logging information.
This is actually no longer true: Google recently added third party tracker blocking when you're in incognito mode. Of course, every other browser does this even outside of incognito mode, but the point stands that Google has actively added features to prevent websites from tracking you in this mode.
At GDPR presentation that I attended recently in Norway the message was that IP addresses must be masked if they go to a permanent storage. For IPv4 it could be OK to clear the last byte of the address, but in general the message was to save the least amount of information. For example, if IP is used for locating regions, then save the regions, not the IP itself.
So practically: logs are fine, delete them after a while. If you store the same information in a permanent database and use it for analysis you're in trouble and should have asked permission.
The fact that the user uses a private window or other means to indicates they don't want to be tracked probably makes this a more clear case.