No one in the world seems to know how Google's privacy controls work, and the company probably likes it that way. The latest example is from Rodriguez v. Google, an ongoing 2021 class-action lawsuit over Google's infamous "Web & App Activity" privacy check box. The box claims to stop Google from saving a user's "activity" to Google's servers, but the lawsuit says that isn't true. The interesting bit today comes from an expert witness called by the plaintiffs, who testified that even Google CEO Sundar Pichai incorrectly described how this check box works to Congress.
Like a lot of Google court cases, this case has most of the records sealed so that embarrassing comments and testimony about the reality of Google's business don't reach the public. The Register noticed that a transcript of the expert's video deposition is public, though, so we can see just a glimpse of what is going on in this case.
The expert witness, Jonathan Hochman, called Google's "Web & App Activity" check box "a fake control, because it doesn't do—technically doesn't do what it seems it should do." Hochman later said, "It looks like even Sundar Pichai is confused about how this control works because he testified in front of Congress and told them something that is just wrong from a technical perspective."
In another public filing, the plaintiffs more explicitly spell out what this is referring to, saying, "For example, Google CEO Sundar Pichai testified to Congress that, within 'My Account,' a user can 'clearly see what information is collected, stored.' That supposedly 'clear toggle' Mr Pichai was referring to could only be [the Web & App Activity control]." The filing goes on to say: "Contrary to Mr. Pichai's congressional testimony, the founder of Google's Privacy and Data Protection Office testified in this case that he is 'not aware of any setting' that users can employ to prevent Google from collecting data related to their app activity."
Google's vagueness around the Web & App Activity feels like it's all part of the plan, a common strategy of "dark patterns" that are found frequently around privacy controls. By being vague, Google hopes you'll think the privacy switch is more effective than it really is. As for what the switch really does: If you turn off Web & App Activity, Google will stop applying the data it captures to "personalize" some very specific user-facing interfaces like Chrome, Search, and Android.
Google has a million divisions, though, and the activity switch has nothing to do with something like the Google Ads, which is a vast, uncontrollable, inescapable data-harvesting machine. And it's not just active on Google products; core technologies that third parties rely on, like "Firebase" push notifications and Ad SDKs, let Google's data-collection tendrils into third-party services, and there's no turning those off.
None of this is explained to users on the Web & App Activity page—Google only wants to vaguely describe how user data is used and doesn't actually explain how the dirty underbelly of ad monetization works. Google's misleading description means a straightforward reading of the words on the page suggests the Web & App Activity switch will stop all Google tracking, but it does not. Web & App Activity is about personalization, not monetization or privacy.
In addition to there being no way to turn off Google ads tracking, there's also no way to "clearly see what information is collected" by Google, as Pichai claimed. Google often points to the "Web & App Activity" list, but that's just a summary of products you've interacted with lately. It's not the massive profile Google builds for every user as they move across the web, regardless of account settings or login state. There's no way to view that.
Hochman's testimony said he found Google's privacy switch "counterintuitive" and "frankly, kind of Orwellian, it is just very strange that you have a privacy switch that when you flip it, it just means we don't tell you that we're spying on you."