Google secretly logs users into Chrome to spy on them whenever they log into a Google site

Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

  • Playlist

  • 0:00

  • Fullscreen

Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.

According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system --also known as Sync.

This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers.

Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

CNET: Google Chrome pushes the web toward HTTPS

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy.

That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click.

Traditionally, enterprises accomplished secondary storage, data protection and management with scale-up architectures and point products. Those solutions still work but, as organizations seek greater agility and resilience, the IT industry is clearly making a shift to a scale-out approach.

In this brief, we will explore the relative values of scale-up to scale-out and what you should be thinking about when considering a move to a scale-out secondary storage or data protection management platform.

White Papers provided by Commvault

Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person's Google account.

TechRepublic: How to use Microsoft Edge on your mobile device

But despite this clearly logical decision behind this move, users are still angry. First and foremost, they are angry because they don't have this ability to decide when they log into their browser, and second, they are angry because Google had failed to tell them about this new move.

Google Chrome 69 was released on September 5, more than two weeks ago, and if you haven't been probing the depths of Twitter, Mastodon, or Hacker News, you wouldn't have known of this change in Chrome's behavior.

Almost all users who never used Chrome's Sync feature before might find it surprising that they are logged into Chrome right now, as they read this article, if they've also logged into a Google account somewhere on Gmail, YouTube, or any other service.

Also: Firefox bug crashes your browser and sometimes your PC

But the criticism doesn't stop here. Matthew Green, a well-known cryptography expert and professor at Johns Hopkins University, pointed out in a blog post today that Google has also redesigned the Sync account interface in a way that it is not clear anymore to users when they are logged in or what button they should push to start syncing.

He calls this change a "dark pattern," a term used to describe user interfaces that have been intentionally designed to be misleading.

In its current form, the Sync interface is indeed misleading, and a user might be one wrong click away from giving all their browser data to Google by accident.

But some also suggested that Google's move might have been planned well in advance. Chrome 69 was a major release for Google, coming with many new features, including a new user interface. Some claim that Google hid this new change in the Chrome 69 release, hoping that nobody would spot it among all the goodies the company added to its browser, hence, the reason why it did take over two weeks for Google aficionados to spot the update.

Green's social media clout, along with some heated Twitter conversations, did manage to push things at Google's HQ, and Chrome engineers have told Green that Google will clarify Chrome's Privacy Policy to reflect Chrome's new mode of operation.

Though this policy update may satisfy some lawyers in Google's cozy offices, this does not address the issue that Google has modified a Chrome feature without telling users, and that modification might lead to serious privacy breaches.

Microsoft has suffered a major reputational blow due to its initially hidden Windows 10 telemetry practices, and so has Facebook in the recent Cambridge Analytica scandal. Twitter is also known to be flooded with bots, fake news, and political influence campaigns, and Reddit is a home for communities dedicated to abuse, harassment, and physical threats.

Through the years, Google has managed to keep a shiny reputation, despite being known to be the biggest data hoarder around. It's usually shady behavior and small things like these that bring down a company's reputation. Oh, wait!

As one of the ZDNet readers pointed out earlier today on Twitter, users can disable the sneaky auto-login behavior by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.

That syncing feeling when you realise you may be telling Google more than you thought

Chrome gets a bit less shiny with auto sign-in

kids drink milkshake

Google's Chrome lost more of its shine over the weekend as the normally calm and reasoned world of Twitter erupted in indignation after users realised the search giant was automatically signing them into its browser.

The change appeared in Chrome 69, which rolled out at the beginning of September and initially occupied users with the revolutionary/repulsive (delete as appropriate) rounded interface, which had been heavily trailed in the preceding months.

As the weeks passed, users have since noted some decidedly more worrying behaviour.

Cryptographer and professor at John Hopkins University Matthew Green took to Twitter to highlight the problem.

In a nutshell, the situation is that Chrome used to allow users to skip through the World Wide Web without needing to sign into Google's browser services. Sure, in return for signing into Chrome and (optionally) selecting what should be synchronised to Mountain View's servers (including browsing history), users might find things a bit more convenient, but it wasn't mandatory.

Now it is optional no more. Should a user navigate to a Google property (perhaps a rarely used site such as Gmail or YouTube) Chrome will automatically sign the browser into the user's Google account with only a small icon in the top right corner of the window to indicate what has happened.

Google engineers were quick to respond to the protests, insisting that the feature was actually a helpful hint to let users know that they were logged in, and that more action on the part of the user was needed in order to enable Sync and start the data slurp.

Chrome engineer and manager Adrienne Porter Felt explained furtherover several posts. The kindly search provider had, of course, its users' best interests at heart and had merely tweaked the UI to make sure users knew they were still signed in – in case they handed their device over to someone else, for example.

Nice, but not enough to calm annoyed users. While it is important to note that what frightened users the most – the slurping of browser history – won't start automatically, the problem is that even if a user has happily been using Chrome throughout its 10-year life while declining the offer to sign in, that option has silently been taken away.

Coupled with an interface that makes it very easy to accidentally enable the slurpage, it seems as though Google has taken one look at Microsoftsuggesting that users might prefer Edge, and said "hold my beer".

Google has form in collecting data when the user has asked it not to, and it would be unsurprising if this surreptitious slurpage was eventually extended to the enormous user base of Chrome. But this feature is all about usability, right?

We contacted Google to learn more about its plans, and were directed to Twitter for more information. Great. ®