Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Secretly Logs Users Into Chrome Whenever They Log Into a Google Site (zdnet.com)

Posted by msmash on from the privacy-nightmare dept.

Catalin Cimpanu, writing for ZDNet: Starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system -- also known as Sync. This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers. Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy. That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click. Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers. Well-respected cryptographer Matthew Green was disappointed by the move. In a post, he wrote: [...] In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes down to basically four points:
1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a hash out of Google's own privacy policies for Chrome.
4. Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.

11 of 179 comments (clear)

  1. two hands by cascadingstylesheet · · Score: 5, Informative

    On the one hand, yeah, blech.

    On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?

  2. Not news by fluffernutter · · Score: 4, Insightful

    This isn't really news. Chrome has sent more information to Google than other browsers for ever. Why people use it is beyond me.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:Not news by GameboyRMH · · Score: 5, Interesting

      Fun fact, Chrome for Android sends the fine details of the device you're using in the user agent string, down to the device model, and as far as I can tell there's nothing you can do about this other than not using Chrome for Android.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  3. But I don't use Chrome by rossdee · · Score: 4, Funny

    So how does that work

  4. Huh? by smooth+wombat · · Score: 4, Insightful

    Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

    What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.

    Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone. This death by a thousand cuts is so last decade.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:Huh? by swillden · · Score: 4, Interesting

      What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.

      Profiles address the issue, but the problem they're trying to address for users who don't use profiles is pretty clear. Jane is using the computer and has logged the browser in to her Google account, and has sync and web history enabled. Dick uses the computer and logs into his gmail account, then does does some browsing, thinking the browser is logged into his account, which has web history disabled. His browser use gets logged in Jane's web history, violating Dick's privacy in two ways: He didn't want his browsing logged at all, and depending on the relationship between Dick and Jane and and what exactly he browsed, may really not want it logged to Jane's account, where she can see it (though if this is the situation, he's an idiot for using a shared browser and not opening an incognito window, because local browser history is a thing).

      Perhaps even worse, I said that Jane has sync enabled, which can include password sync. So Dick may inadvertently give Jane his passwords this way, too.

      My bet (though I don't have any particular knowledge about it) is that this is not a theoretical scenario, that it has actually screwed a number of people which is why it came to the Chrome team's attention.

      Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Huh? by swillden · · Score: 4, Informative

      Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.

      Here's a better analysis, by an engineer on the Edge browser team: https://textslashplain.com/201...

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Disable it then. by olsmeister · · Score: 5, Informative

    Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.

    1. Re:Disable it then. by Anonymous Coward · · Score: 5, Insightful

      Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.

      And how do you know that works?

      Because Google's software said so?

      "Yep! We pinkie-promise that we're not snooping on you now!"

  6. Tied to a platform by sjbe · · Score: 4, Interesting

    On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?

    Definitely. One of the reasons I don't use or install Chrome even though I do use some Google services. I use Firefox in part because it's the only one of the major browsers to not be owned by a major tech company. Chrome seems to work fine but compared with Firefox it's at more or less a dead heat technically speaking and performance-wise (for my purposes anyway) so why tie myself tighter to Google than absolutely necessary? That's not an argument that Firefox is perfect (it isn't) but it seems to be the least worst option in this regard.

  7. Re:So.... by PopeRatzzo · · Score: 4, Insightful

    Indeed it does. Just last night Chrome auto-updated itself to 69. I was running an older version for two or three years (had very good reasons to) and had all the auto-update garbage turned off, developer mode turned on, and the like. I rebooted my machine, and out of nowhere was this candy coated new Apple-like interface.

    This is when I immediately uninstalled Chrome, filled in their "survey" that it automatically takes you to, and installed Firefox. I was very pleased to see that Firefox gives you the option off the bat to use an address bar as an address bar. There's nothing like a bait and switch "feature" hijacking all your address data, phoning home under the guise of offering lame suggestions, and performing a search if you mistyped and didn't get a FQDN right.

    I won't be going back any time soon.

    Google: Be Evil. (TM)