Security experts are complaining about an update to Google’s Chrome browser that they say undermines users’ privacy.
With the release of Chrome 69, it was discovered that when you log into your Google account or any Google service for that matter, you will also be automatically logged into Chrome whether you want to or not.
The issue revolves around how and when people choose to log in to the Chrome browser (which is different than logging in to Google services like Gmail). In past versions of the browser, this was a voluntary step. Doing so means users can sync information like bookmarks, passwords, and browsing history between devices, a feature Google calls “Chrome Sync.” It also means that their user data is stored on Google’s servers — something that some people are understandably unhappy about.
But with Chrome 69, the latest version of the browser, whenever someone logs in to a Google service like Gmail or YouTube, they are now automatically logged in to Chrome as well. This, critics say, is an underhand change that will nudge people into inadvertently sharing more data with Google.
Criticism over the update has been bubbling over the internet, with Chrome engineer and manager Adrienne Porter Felt explaining the change on Twitter. According to her, the change was made to avoid a problem some users have when sharing devices.
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you're "signed in" whenever you're signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/
— Adrienne Porter Felt (@__apf__) September 24, 2018
In the new version of Chrome: when you sign in or out of a Google website, Chrome UI shows your sign-in status in the top right corner. 2/ pic.twitter.com/h1ndpMPDlT
— Adrienne Porter Felt (@__apf__) September 24, 2018
Felt outlined a scenario in which someone using a shared computer signs out of a Google service like Gmail and believes they’ve also signed out of Chrome. If they haven’t actually done so, then the next user might have access to their data stored in the browser.
She also notes that automatically logging a user into Chrome doesn’t mean their personal data is automatically shared with Google. For this to happen, Chrome Sync has to be enabled separately.
But critics say this isn’t good enough. Matthew Green, a cryptographer and professor at Johns Hopkins University, was one of the first to outline the problem in a blog post this weekend. Green says that despite the fact that Chrome Sync isn’t automatically turned on, the end effect is still to nudge users into sharing more data.
“This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this,” writes Green.
I’m still annoyed that Chrome has gone to mandatory Google login — exactly the same way Android did (and has received enormous criticism for) — and people at Google are acting like they’re surprised people are upset.
— Matthew Green (@matthew_d_green) September 22, 2018
I’m also annoyed at the people who say “it’s just all your browsing data so what’s the big deal?” It’s my *browsing data* that’s exactly why it’s a big deal!!!
— Matthew Green (@matthew_d_green) September 22, 2018
When you log directly into Chrome, one of the features that is automatically enabled is sync. This feature automatically synchronizes your bookmarks, history, passwords, and other settings with your Google account.