How advanced persistent threats are creating new vulnerabilities Watch Now

Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.

According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system --also known as Sync.

This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers.

Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

Also: Google Chrome pushes the web toward HTTPS CNET

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy.

That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click.

Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person's Google account.

Also: How to use Microsoft Edge on your mobile device TechRepublic

But despite this clearly logical decision behind this move, users are still angry. First and foremost, they are angry because they don't have this ability to decide when they log into their browser, and second, they are angry because Google had failed to tell them about this new move.

Google Chrome 69 was released on September 5, more than two weeks ago, and if you haven't been probing the depths of Twitter, Mastodon, or Hacker News, you wouldn't have known of this change in Chrome's behavior.

Almost all users who never used Chrome's Sync feature before might find it surprising that they are logged into Chrome right now, as they read this article, if they've also logged into a Google account somewhere on Gmail, YouTube, or any other service.

Also: Firefox bug crashes your browser and sometimes your PC

But the criticism doesn't stop here. Matthew Green, a well-known cryptography expert and professor at Johns Hopkins University, pointed out in a blog post today that Google has also redesigned the Sync account interface in a way that it is not clear anymore to users when they are logged in or what button they should push to start syncing.

He calls this change a "dark pattern," a term used to describe user interfaces that have been intentionally designed to be misleading.

In its current form, the Sync interface is indeed misleading, and a user might be one wrong click away from giving all their browser data to Google by accident.

But some also suggested that Google's move might have been planned well in advance. Chrome 69 was a major release for Google, coming with many new features, including a new user interface. Some claim that Google hid this new change in the Chrome 69 release, hoping that nobody would spot it among all the goodies the company added to its browser, hence, the reason why it did take over two weeks for Google aficionados to spot the update.

Green's social media clout, along with some heated Twitter conversations, did manage to push things at Google's HQ, and Chrome engineers have told Green that Google will clarify Chrome's Privacy Policy to reflect Chrome's new mode of operation.

Though this policy update may satisfy some lawyers in Google's cozy offices, this does not address the issue that Google has modified a Chrome feature without telling users, and that modification might lead to serious privacy breaches.

Microsoft has suffered a major reputational blow due to its initially hidden Windows 10 telemetry practices, and so has Facebook in the recent Cambridge Analytica scandal. Twitter is also known to be flooded with bots, fake news, and political influence campaigns, and Reddit is a home for communities dedicated to abuse, harassment, and physical threats.

Through the years, Google has managed to keep a shiny reputation, despite being known to be the biggest data hoarder around. It's usually shady behavior and small things like these that bring down a company's reputation. Oh, wait!



As one of the ZDNet readers pointed out earlier today on Twitter, users can disable the sneaky auto-login behavior by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.

https://www.zdnet.com/article/google-erases-dont-be-evil-from-code-of-conduct-after-18-years/

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories: