Hello, and welcome to the Friday Tech Fix for June 5! My original goal has been to cover what I think are the “biggest” technology stories of the week, and why lawyers should care about them. But we are currently living in extraordinary times, and big technology news has been taking a backseat to, well…..more important topics.
So this week, I’d like to offer my take on two tech stories that caught my eye – not necessarily because they are the biggest, but because they touch on issues important to me – and I think to lawyers, too, as well.
WHAT DOES “INCOGNITO” REALLY MEAN?
Have you ever used Google Chrome’s Incognito Mode? If so, you may have a claim in a new $5 billion lawsuit filed against Google this week. The lawsuit claims that despite promising you the ability to surf anonymously, Google is still tracking and collecting browsing information from you without your knowledge, using Google Analytics and Ad Manager.
Here’s how Incognito Mode is supposed to work: it allows you to open a browser tab where your activity won’t be tracked by Google inside the browser – so while you are Incognito, Chrome will not collect your browsing history, any website cookies or site data you come across, or any information you enter into web forms. However, Google doesn’t promise that your Incognito web surfing is completely anonymous: it warns you that your activity still might be visible to the websites you visit, your employer or school, and your internet service provider. (Note: this is at least partly due to a flaw in the software that still makes user activity detectable by websites – an flaw that can, and should, be fixed. Nevertheless, Google does acknowledge that front and center.)
So, when you use Incognito Mode and you visit another website, that website might be using Google Analytics to monitor its traffic and visitors – and in so doing, Google Analytics might nevertheless be collecting information about you even though you started out in Incognito Mode in the first place.
Why lawyers should care. I like to think lawyers will always be interested in the legal merits of a lawsuit, no matter what the topic. But as individual consumers on the internet, you should also care because it’s important to understand how information is collected about you, so you can take appropriate action if it matters to you. Does this case have merit? The plaintiff’s argument seems to rely on the fact that all of these independent websites chose to use Google Analytics, which was just waiting to collect information from Incognito users. One site I found claims that Google Analytics is used by around 55% of all internet websites – which is not a small percentage, but is actually smaller than I expected, for Google. It feels like a somewhat attenuated position to take – it will be very interesting to see how this plays out.
THIS EXPLAINS WHY NO ONE USES A PASSWORD MANAGER
I am in the midst of a multi-part series on the blog about getting and actually using a password manager. I am always amazed at the number of lawyers who choose to maintain a very loose password management strategy, using the same, fairly easy-to-break passwords on multiple sites. Now I think I’ve figured out why I can’t convince many people to use one: because no one really cares. My proof? A recent survey from Carnegie Mellon’s Security and Privacy Institute that only around one-third of users change their passwords after they have been notified of a data breach.
What this means is that, if 100 people are notified that a website they frequent was the victim of a data breach, 66 of those people will choose to say “yeah, someone might have my login credentials for this site, but I’m good.” My mind is fairly boggled at the thought.
To be fair: the study may be subject to some level of bias.. The results were compiled by analyzing the web traffic of an opt-in research group where users sign up and share their full browser history for the sole purpose of academic research. Is it possible that the most security-minded of us would decline to share our browser history with a university? Very likely. So take this study with a requisite grain of salt.
Why lawyers should care. Whether or not the study is flawed, there were still a lot of people surveyed who don’t particularly care if their passwords get compromised. Are you one of those people? If so, do you routinely interact with confidential information of your clients on any of these sites? Good password management should be at the foundation of a lawyer’s obligation of technical competence – so please, even if you aren’t using a password manager, please exercise some good common sense when dealing with passwords on the internet. It doesn’t hurt to use a password manager, either.