Chrome has long included a feature that lets you log in, connecting the browser directly to your Google account. This lets the browser, via its sync feature, store information about your web usage on Google’s servers, including your browsing history, bookmarks, tabs, autofill information, and a list of your installed extensions. Google provides it as a convenience for users because it enables them to synchronise the browser environment across their devices.
As you’d expect, not everyone likes the idea of sending their data to Google’s servers. Chrome users have traditionally been able to surf the web, including Google’s own websites, without signing into the browser.
Recently, though, Matthew Green, assistant professor at Johns Hopkins University and a cryptography expert, discovered that an update to Chrome has been signing users into their Chrome browsers whenever they logged in to a Google website. He blogged about it in full here.
From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.
This angered the privacy-conscious Green, who doesn’t want Google seeing his web usage data. He has deliberately avoided signing Chrome into his Google account ever since he began using it.
According to Google executives, the rationale for the change stems from the fact that you can sign into Google in two ways when using Chrome. In addition to the browser’s own login feature, you can also sign in via the Google web page, as you would in any browser.
Adrienne Porter Felt, an engineering manager on the Google Chrome team, explained in a Twitter conversation with Green that the company made the change to avoid a common privacy problem, particularly on shared computers where one user may have logged into Chrome, unaware that someone else has signed into a different Google account on the web.
She defended the company’s position by pointing out that the automatic sign-in feature does not automatically cause the browser to synchronise your web usage data to Google. Users have to turn that on separately.
The intent is to prevent a common confusion in shared device situations where the login state of the browser ends up different from the login state of the content area. It does not turn on sync without an additional consent step
— Adrienne Porter Felt (@__apf__) September 22, 2018
She also went into more depth in another Twitter thread designed to update users:
FYI the chrome privacy notice has now been updated https://t.co/84hyyc5cwa
— Adrienne Porter Felt (@__apf__) September 24, 2018
On desktop versions of Chrome, signing into or out of any Google web service (e.g. google.com) signs you into or out of Chrome. Sync is only enabled if you choose.
The clarification hasn’t made Green much happier. He argues that the account-muddling problem Google is trying to solve shouldn’t affect users who don’t want to sign into the browser. On his blog, he writes:
In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place.
So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in?
He worries that if Google is now logging him into Chrome when he didn’t give it permission, it makes it difficult to trust the company’s assurances about syncing. He also argues that it’s relatively easy to sync by mistake using a single click, because once logged in, the browser displays a blue synchronization button that he says is ambiguous.
Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident?
He goes so far as to call it a ‘dark pattern’, by which he means a user interface design decision intended to manipulate or mislead.
He isn’t the only person to have noticed that. Others responded to Porter Felt’s tweets, with at least one person complaining that their data had been synced as soon as they were signed in:
i think what people are most upset about, myself and now john included (https://t.co/a1rAEKtZD9) is i) the dark pattern used here to try to trick users into syncing and ii) the uncertainty around what happens if you accidentally click that button. is local stored history sent up?
— Patrick Donahue (@prdonahue) September 24, 2018
Google’s former director of information security engineering didn’t seem that enamoured by the move either. Michal Zalewski, who left the company in March to join Snap, led a team of around 100 engineers at the search and advertising giant. He chimed in:
So, you know, realize that I’m in a tiny and uninteresting minority, so not gonna make a stink about what’s probably an OK change for most, but it made me a tiny bit less happy =)
— lcamtuf (@lcamtuf) September 22, 2018
One clear message that came through from several Twitter respondents to Porter Felt is that this change should have been flagged to users publicly before Google made it. Now it has happened, the company has had to play catch-up and clarify the implications for Chrome users.
So, what do you do if you’re among those who love using Chrome and don’t want to move? You can set a passphrase to encrypt the synced information that Google stores about you on its servers, and you can also select which data to sync.
Last week Naked Security ran a poll to discover which web browser our readers trust the most. It’s moves like this one that ensure, in spite its preeminent market share, it isn’t Chrome.