top | item 18601703

(no title)

There's a difference between Signed out, and Incognito (no cookies)!

+ People generally tend to miss the point that Incognito doesn't prevent sharing the IP of the user.

+ I think DuckDuckGo's study missed out using VPN in their analysis. i.e., SignedIn vs Incognito vs (Incognito+VPN)

discuss

The "even in Incognito" part of this is certainly the biggest result I see. And I agree on the study limitation; attempting to clean up localization effects after the fact doesn't feel like a strong fix. It should be possible to isolate device and location effects by using multiple devices in one location, then VPN-ing one device to multiple 'locations'.

One thing that caught my eye was Google's response about Incognito:

> The company did confirm that it does not personalize results for incognito searches using signed-in search history, and it also confirmed that it does not personalize results for the Top Stories row or the News tab in search.

Since it's a corporate reply, the standard question is what's not present: a statement that Incognito isn't personalized, or isn't personalized beyond device type and location. Perhaps I'm too cynical, but "we don't personalize using X" parses as "we do personalize in other ways".

nl|7 years ago

it does not personalize results for incognito searches using signed-in search history

To me this sounds reasonable. A very large number of searches are locality based, and it is entirely reasonable to localize them based on IP address (and - as you note - the device type).

It's also reasonable to customize based on recent (session based) search history (refinements, spelling corrections, etc).

The difference between this and personalization seems mostly about semantics IMHO.

frandroid|7 years ago

Google definitely personalizes based on geoIP location, that's not exactly a secret.

Kalium|7 years ago

> There's a difference between Signed out, and Incognito (no cookies)!

Is there? I was under the impression that Incognito and its cousins generally still accept and preserve cookies for the duration of the temporary session. This means that for this purpose, there isn't really a difference.

gfo|7 years ago

Incognito is supposed to give you a completely clean session that doesn't carry over the cache, cookies, etc. from your normal browsing context.

In this study, my understanding is that result personalization carried over from a normal browsing session into the clean, Incognito session, likely due to IP correlation or possibly through User-Agent strings. So while Incognito has its own context that is wiped once the session has ended, the result personalization didn't need anything saved in the browser to recognize who you are.

snowwrestler|7 years ago

Incognito will accept new cookies but to my understanding it won't serve existing cookies that pre-date the Incognito session. A fresh Incognito window is supposed to be like you cleared your history and cookies before opening it, and then cleared them again when you close it. But yeah, in between the browser acts as normal.

In a normal (not Incognito) browser window, you don't have to be logged into Google for Google to read Google cookies. Logging out doesn't make you anonymous; they still know who you are.

jakelazaroff|7 years ago

Even with a VPN it's possible to somewhat reliably fingerprint browsers, no? You can check user agent, screen size, installed plug-ins, etc.

nielsbot|7 years ago

Yes, see antsar's comment below:

Try this: https://panopticlick.eff.org/

bo1024|7 years ago

Disable javascript by default!