Curious to get HN's take on this. I was pretty surprised at Google a few days ago. A family member had recently passed away, and so I Googled ("funeral homes <location>") in incognito on Google Chrome (I suppose it felt a bit sensitive and I didn't want my Google account associated with it). A few minutes later I opened up Google Maps on my phone (different device, but logged into my Google account) and there were a few ads for funeral homes (they looked like squares and were highlighted).
Obviously, this is technically feasible: I was on my home internet (both computer & phone), and presumably there are <5 accounts that share this IP address. So when I search, they ~know who I am, and so therefore could serve me ads when I'm logged in. But I was still surprised that Google would do it — I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting. (Since, well... it is quite trust destructive.)
Does anybody know if Google is doing this intentionally? It seems like this is pretty value destructive for them long-term? Or... am I just being paranoid and this is just a frequency illusion?
Actually — while I'm here: does anybody have recommendations for per-app or per-site VPNs, especially on iOS? That's basically what I would want here: a different IP address when I open an incognito window, or for each app on my phone (e.g. Brave should have a different IP address than Gmail). I ask because while system-wide VPNs help somewhat... if I ever open anything identifying, I can effectively be fingerprinted anyways.
For example, if I start a Mullvad VPN, and open up an incognito window, but am still signed into Google (on my non-incognito window), Google now knows who I am (in both windows). Then if I browse a website that has GA (within incognito), theoretically Google could figure out who I am. This would be avoided if I shared nothing (not IP address, not browser fingerprinting) between my two windows. Is there any way to do that at scale besides just... closing everything before I go into incognito?
It has been obvious that we were supposed to be sandboxing these browser sessions in the OS and sandboxing these Google Accounts in basic internet opsec. Being able to create and discard these identities at will is the only sensible, resilient way to function.
Google has actively fought against this, and many people haven't noticed. Things like requiring 2FA for new Google account activation are ridiculously destructive to the ability to maintain any privacy or security. My workplace started demanding 2FA phone/email activation and their response to "So give us a workplace email account then, I'm not using my personal phone" was literally "Just go create a free GMail", which isn't a thing any more without a personal phone.
And it goes beyond new accounts.
I have a 2006-vintage, realname, first.last@gmail.com forwarding account for formal uses that I can't access any more DESPITE HAVING THE PASSWORD AND CONTROL OF THE RECOVERY EMAIL because I refused to hook up 2FA, and moved from the old PC to the new PC which Google doesn't recognize session cookies on. Give Google the keys to the castle or fuck you, we're walling up the doors.
These are dark patterns that, if Google is going to fight us on, demand regulation. Consistent access to specific email & phone numbers were never supposed to be this important to a functioning life, and not supposed to provide a shady for-profit private entity with a permanent panopticon dossier on your activities either. We would flip the table and replace governments if they tried to do this to us. We have, in some cases.
Burn it all down and create some kind of nonprofit NGO to run email or to run the Google Empire, which needs to be simultaneously secure and feasibly pseudonymous in order for people to continue having the basic human rights they enjoyed in the 2010's and 2000's when Google was still in the "Be Less Evil" phase.
Highly recommend iCloud Private Relay plus Safari. Sites often think I'm in New England, or Montreal, or a bunch of places I'm not, seemingly at random.
From Incognito window's note
> Others who use this device won’t see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved
Incognito does not hide your activity from Google. Especially when you googled in incognito and they likely use IP addresses as part of their targeting. I am also assuming it's different for different kinds of ads given you wont see ads if you look at something personal. They infact allow IP address targeting somehow. [1] Their privacy stance is more about 3rd party not having access to the data google has collected.
My assumption (I no longer work at Google, and I didn't have anything to do with this part of the infra) is that Google uses IP addresses for ad targeting (and other targeting). In fact I think they announced this recently, but I believe they were doing it before. It is also possible it was coincidence in your case, but I doubt it.
Google fully understands that users are reaching for incognito because they want their session to be 100% ephemeral they just don't care because they're paid to not care. Technical distinction between local and remote data is unrelated, Google could offer privacy if they wanted to.
Google has specifically created an entire page telling users exactly what to expect from incognito browsing: it's the first page that opens when you go incognito mode, every time
Do you think browsers should send to the server that it is in incognito mode? Because that is what you are asking for, that would just reduce privacy not increase it.
But sure, sending that extra tidbit of information specifically to servers that they can verify won't track you would be a good tradeoff.
Even worse is that they probably do try to detect if you're in an incognito session, but only for their benefit.
Edit: Here's an easy thing they could do. Even if we accept or pretend to desire cross-browser correlation at all, new-seeming browser profiles could have their information siloed for a few days and if they disappear in that time it all gets treated as an incognito session.
I don't think there is consensus on HN regarding privacy issues.
I'm with the author. I view Google as a mass surveillance operation that has grown so large and invasive that I no longer want anything to do with them. I avoid their services as much as I can, and try to minimize and isolate cases where I can't.
It used to be worse. I operate a vpn for my extended family, some of whom are deployed overseas at any time.
They would google for things and suddenly my ads would show nightclubs near them (thousands of miles from me) and google’s default language would even change to the country they currently reside in. Just because the outgoing ip is shared across both users.
It’s actually gotten “better” but one could argue maybe they’re able to perform more precise targeting instead of throwing away signal.
> I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting
How would that work without unmasking the use of incognito mode? All the backend[1] knows is that it got a request for a search. There's (by design!) no way to know that that came from an incognito window in a browser that is otherwise logged in to a Google account.
[1] I know I know, this is a(nother) anti-Google rant. But Facebook and Microsoft and TikTok and everyone else does this too. If you flag your interest in $THING on the internet to $SITE, then $SITE will try to show ads for $THING to your roomates, kids, grandparents, etc...
While it very much could be a frequency illusion, i also think it's naive to assume this is remotely value destructive for them in the longer term. The number of people who will notice or care is obscenely small in comparison to their larger population.
Personally I wouldn't put it past them to absolutely do it on purpose/by design.
Had the same thing happen to me and I am wondering how this can be legal (here in Europe).
It is basically indirectly leaking search information to other users of the IP.
I can think of not so bad information where it e.g. shows engagement ring ads.
But I can also think of quite bad scenarios.
You search for xyz and that goes into some online system with associated features like ip subnet or whatever. Then you load gmaps from the same subnet. It's not about "knowing who I am" it is just a distance metric in a hyperparameter space.
Hmm. Good point; agreed it's likely just getting ingested by online system. I guess I would've thought that Google would drop non-logged-in requests from going into their online system, or that at least they would do so for incognito requests from their own browser. Haha. How naive I am!
I have a separate phone with location off and always on mullvad VPN, and separate accounts for everything, and I still see ads on my main phone for things I search for or interact with on my VPN phone. It's infuriating.
Proximity to other rf emitting devices? I always assumed this is how those "I googled x and discussed it with a friend over dinner and now my friend sees adverts for X" type things work.
For some reason, this reads like a elaborately fake post to indirectly bring up search interest groups (google's ridiculous alternative to third party cookies).
That comment seemed a little bit snide to me, so I visited the website just to prove you wrong. Unfortunately, it was so disorienting I had to close it after scrolling for a few seconds :0
n8n AFAIK is a workflow builder whereas at Superblocks, we are an Application builder (in addition to a workflow builder). We enable developers to build user interfaces that "bind" to APIs that they build with this feature.
I've used it a bit and find it to align more with the free form node approach where the lines between them define the "control". I think this approach where we introduce a visual programming language has the potential to change the way the industry views products like these.
There's something about the ability to drag on a try catch, use a native break block in a loop, etc. that feels very "like code".
I think if you look at no-code tools like Zapier, they do a great job empowering business users with most simple use cases like moving data from one app (ie facebook ads) to another (ie google sheets). But if you want to build a really advanced use case, like Amazon's support routing, for example, then Zapier will be able to get you 50% of the way there very quickly, but the remaining 50% basically becomes impossible.
We built Workflows for developers and see it as an alternative to writing cron jobs from scratch. While you can definitely write some code in Zapier, Workflows focuses on putting SQL and JS front and center when you need it, GUI when you don't.
If you give Workflows a try, I'd love to hear your feedback (jamie@retool.com)
I'm a Retool user and going to try writing a script now...
Edit: hmmm, it's pretty hard. I was trying to export a pretty simple app but it looks like there's a ton of features not supported here. (I guess it's pretty hard to build a full development environment with GUIs.) For example, I have a simple table in Retool where I'm doing inline editing. Unfortunately Openblock's table is read-only. So I guess I'll have to manually add a form. Unfortunately, I wasn't able to easily add validations to the form, and it seemed a bit buggy when submitting it too (maybe not properly debouncing?). Also, it looks like the permissioning system is much more rigid, and doesn't support, for example, showing different things in the app depending on the user group?
Looking forward to seeing it mature, but it does feel like there is a lot of surface area. I've tried a few other OSS builders, and I think Retool still comes out ahead when it comes to building actual production use cases. Like another comment said, I do wonder whether there will ever be a true OSS version? Seems like everything is "free for now, will charge for enterprise features later". At that point you might as well just use Retool, since the product is a lot better?
It’s great to see more options out there, though...
Not so -- there is a starter plan at significantly reduced cost that has deployment restrictions, but with the standard plan you build your own standalones and they work forever.
How does this compare to Retool (https://retool.com)? We use Retool at my company and like it; this seems like it is similar, but targets non-developers and is less mature (e.g. in the quality of the components)?
Obviously, this is technically feasible: I was on my home internet (both computer & phone), and presumably there are <5 accounts that share this IP address. So when I search, they ~know who I am, and so therefore could serve me ads when I'm logged in. But I was still surprised that Google would do it — I guess I would've thought that Google would drop incognito mode requests and not use them for ad targeting. (Since, well... it is quite trust destructive.)
Does anybody know if Google is doing this intentionally? It seems like this is pretty value destructive for them long-term? Or... am I just being paranoid and this is just a frequency illusion?