According to security researcher S. Bálint, any time someone using Chrome 69 logs into a Google service or site, they are also logged into Chrome-as-a-browser with that user account. Essentially, Google is forcefully logging users into Chrome.
Chrome browser’s privacy policy notes that if you are is not signed in, all the information is locally stored on your system. However, all the data – including your browser history and password autofill information –is sent to Google servers once you’re signed in. That leads users to believe that Chrome 69’s forced login policy is sharing user data with Google.
The Chrome privacy policy (https://t.co/vPUqvOjFRR ) articulates two separate “browser modes with different privacy properties. One is “basic” and the other is signed in”. Compare them. pic.twitter.com/ShXehQFYtI
— Matthew Green (@matthew_d_green) September 22, 2018
However, Adrienne Porter Felt – an engineer and manager on the Google Chrome team – said that the user data is not getting uploaded to Google servers. But if that’s true, then why is Google is forcefully logging people in?
Think of it as adding "yo FYI you're currently logged in to Gmail" in the corner of the browser window. That's what the feature does. It's different from the feature you seem to be talking about which we call sync, that has privacy implications.
— Adrienne Porter Felt (@__apf__) September 22, 2018
My teammates made this change to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device. 3/
— Adrienne Porter Felt (@__apf__) September 24, 2018
Automatically logging people into browsers potentially creates an unsafe environment on shared devices: Others who use the device may be able to access your account, even when you think you’ve logged out of the services you just used.
Felt said that the new version of Chrome’s UI now uses a profile icon to the right of the address bar to indicate that you’re signed into any of Google’s services. Apparently, this change was made so that users don’t forget to sign out on shared machines. But its effectiveness may be limited, as people may not realize they’re logged into the browser – especially if they don’t notice this change.
You can change this behaviour by going to ‘chrome://flags/#account-consistency’ and disabling ‘Identity consistency between browser and cookie jar’ flag. Some developers have also built a privacy centric fork of Chrome called Ungoogled-Chrome.
This feels a lot like the Google+ integration that the company previously tried to force onto folks who used its Search, Gmail and YouTube services; it later removed this functionality after receiving negative feedback.
The company has been guilty of sneakily recording userdata several times in the past. Earlier this year, it was revealed that Google was recording users’ location data even if they had turned that setting off. A few years ago, The Guardian found that Google was quietly recording all your voice searches and storing them in its server – without disclosing this to users
Companies like Google often make changes to their platforms and, instead of explicitly informing people, hide mentions of these tweaks in documentation that few users actually read. Privacy and transparency are, sadly, becoming harder to come by as we invest more in online services.
Get the TNW newsletter
Get the most important tech news in your inbox each week.