A Small Google Chrome Change Stirs a Big Privacy Controversy

Credit to Author: Lily Hay Newman| Date: Mon, 24 Sep 2018 21:07:11 +0000

Though Chrome launched in 2008 as a scrappy upstart, it has for years been the dominant web browser, with over 60 percent market share on both desktop and mobile. So when Chrome adjusts its features or policies, it impacts a huge chunk of people worldwide. And a recent change to how Chrome treats logins has shown how poorly those alterations can go over.

Even if you don't know much about the intricacies of Chrome's settings, you probably know that you can log into Chrome with your Google account—to sync your browsing history and other useful data across devices—or you can use it without logging in. That choice has always been a Chrome hallmark, emblematic of the balance between Google's business incentive to gobble up all of your data and its stated goal of respecting user privacy.

But in its 10th anniversary release a couple of weeks ago, Chrome started exhibiting a new behavior that alarmed users who purposely stay logged out. If you're logged into a Google service like Gmail, an icon in the upper-right corner of Chrome windows now shows that you're logged into Google's browser as well, regardless of your previous preference.

"This move is a deal breaker," a commenter known as colordrops wrote on Hacker News in early September in one early thread about the change. The perception, understandably, was that Chrome now takes a single login to a particular Google service as carte blanche permission to log a user into other Google products, and starts sharing data like browsing history.

"This was a bright line they made. And they violated it without telling anyone, and only updated their privacy policy after the fact when people freaked out."

Matthew Green, Johns Hopkins University

Over the weekend, Johns Hopkins cryptographer Matthew Green questioned Google's motivations in a series of widely read tweets. Chrome engineering manager Adrienne Porter Felt responded, also on Twitter, that rather than automatically logging users into Chrome, the new icon instead indicates a sort of in-between state. Google says that the new Chrome login resembles Google's general Single Sign-On feature, which allows your login on Gmail, say, to carry over to Google.com, or any other service in the ecosystem. The company maintains that the new type of Chrome login does not result in any more information about a user or their browsing habits going to Google’s servers than being logged out would.

"Think of it as adding 'yo FYI you're currently logged in to Gmail' in the corner of the browser window," she wrote on Saturday. Porter Felt explained that the Chrome team added the feature to reduce problems with simultaneous logins on shared computers. Things like browsing data can get unintentionally shared when two Google accounts—one on Chrome, another on Gmail, for instance—are logged in on the same device.

Porter Felt and other Chrome engineers also emphasized that getting logged into Chrome because of another Google service doesn't automatically turn on syncing features and enhanced data sharing with Google, the way it does if you intentionally log into Chrome itself. "Simply signing in to Gmail doesn't start syncing anything to Google," Chrome engineering manager Mathieu Perreault wrote. "It will reuse your Gmail credentials in case you want to sync, but … you have an extra step to consent to be syncing to Google."

Though the change would barely be noticeable to customers who keep Chrome signed in all the time, these explanations still frustrate the population of privacy-conscious users who intentionally stay signed out of Chrome. They also argue that the move violated Google's privacy policy, which defines two distinct modes of Chrome: "Basic browser mode" and "Signed-in Chrome mode." The new change complicates this dichotomy.

Though Chrome developers said publicly over the weekend that this partial Chrome login doesn't automatically cause data to sync to Google's servers, and Google affirms this assertion, it is still difficult to totally understand how the shadow login state differs from being fully logged out. Chrome will start syncing if you click one of the sync buttons that shows up around Chrome. It shows one final prompt confirming the decision with the option "Ok, got it." Once you start syncing, it will draw on locally stored URLs you typed into the search box, but not full browsing history from before syncing began.

"It was a big change and they should have expected that people would react to it" says Jim Fenton, an independent identity privacy and security consultant who says he has been wary of using Chrome for years for fear of policy changes like this. "So the thing people are concerned about from a design standpoint is that this could cause users to do what Google wants them to do. The way it was done really gave an impression that they were doing something they weren’t being entirely up front about."

It is unclear how the shadow login state differs from being totally logged out.

Google updated its privacy policy on Monday morning to say, "On desktop versions of Chrome, signing into or out of any Google web service (e.g. google.com) signs you into or out of Chrome. Sync is only enabled if you choose. To customize the specific information that you synchronize, use the 'Settings' menu. You can see the amount of Chrome data stored for your Google Account and manage it on the Chrome Sync Dashboard." The policy revision doesn't fully clarify what the Twilight Zone third login state is or does, though.

"Even if no data goes up [to Google's servers] it’s still a huge change," Johns Hopkins' Green says. "This was a bright line they made. And they violated it without telling anyone, and only updated their privacy policy after the fact when people freaked out."

Given the dominance of Google's products and services, the company has repeatedly come under fire for changes like the Chrome login revision that seem to quietly and subtly consolidate the company's power even more. And while those frustrated by the change still support the Chrome Privacy team's desire to reduce the risk of unintentional syncing between accounts, they note that the lack of clarity creates mistrust. Many massive Chrome initiatives have been for the greater good—like the group's multi-year campaign to promote HTTPS web encryption and ding sites that don't use it—but the power to influence the entire web comes with heavy responsibility. And users who avoid logging into Chrome say they did not feel represented or considered in Chrome's recent change.

For privacy-conscious users who don't want to be signed into Chrome in any way and risk another policy change that exposes more of their data, the best option for continuing to use Chrome seems to be using a secondary browser for your Gmail and other Google services. Which is a pretty unappealing prospect.

https://www.wired.com/category/security/feed/