Google has responded to blowback about a privacy hostile change it made this week, which removes user agency by automating Chrome browser sign-ins, by rowing back slightly — saying it will give users the ability to disable this linking of web-based sign-in with browser-based sign-in in a forthcoming update (Chrome 70), due mid next month.
The update to Chrome 69 means users are automatically logged into the browser when they are signed into another Google service, giving them no option to keep these digital identities separate.
Now Google is saying there will be an option to prevent it pinning your Chrome browsing to your Google account — but you’ll have to wait about a month to get it.
And of course for the millions of web users who never touch default settings being automatically signed into Google’s browser when they are using another Google service like Gmail or YouTube will be the new normal.
Matthew Green, a cryptography professor at Johns Hopkins, flagged the change in a critical blog post at the weekend — entitled Why I’m done with Chrome — arguing that the new “forced login” feature blurs the previously strong barrier between “never logged in” and “signed in”, and thus erodes user trust.
Prior to the Chrome 69 update, users had to actively opt in to linking their web-based and browser-based IDs. But Google’s change flips that switch — making the default setting hostile to privacy by folding a Chrome user’s browsing activity into their Google identity.
In its blog post Google claims that being signed in to Chrome does not mean Chrome sync gets turned on.
So it’s basically saying that despite it auto-linking your Chrome browsing and (Google) web-based activity it’s not automatically copying your browsing data to its own servers, where it would then be able to derive all sorts of fresh linked intel about you for its ad-targeting purposes.
“Users who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such as turning on sync,” writes Chrome product manager Zach Koch.
But in his blog post, Green is also highly critical of Google’s UI around Chrome sync — dubbing it a dark pattern, and pointing out that it’s now all too easy for a user to accidentally send Google a massive personal data dump — because, in a fell swoop, the company “has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click”.
“The fact of the matter is that I’d never even heard of Chrome’s “sync” option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I’m forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my data local as the barriers between “signed in” and “not signed in” are gradually eroded away,” Green also wrote.
Hence his decision to dump Chrome. (Other browsers are certainly available, though Chrome accounts for by far the biggest chunk of global browser usage.)
Responding to what Koch colorlessly terms “feedback” about the controversial changes, he says Google is going to “better communicate our changes”.
“We’re updating our UIs to better communicate a user’s sync state,” he writes. “We want to be clearer about your sign-in state and whether or not you’re syncing data to your Google Account.”
His explanation for Google flipping the default to be privacy hostile (rather than user affirmative) is to claim that “we think sign-in consistency will help many of our users”, saying Google has “received feedback from users on shared devices that they were confused about Chrome’s sign-in state”.
“We think these UI changes help prevent users from inadvertently performing searches or navigating to websites that could be saved to a different user’s synced account,” he also writes.
Though, as Green points out, making more people sign in to Chrome (rather than fewer) is a fuzzy sort of fix for an account ‘pollution’ issue.
Chrome’s flipped switch also now means users have to take Google’s word for it that it won’t suddenly auto sync their data to its own servers — say by making another opaque change, in the future, to further automate the harvesting of users’ personal data.
Privacy policies that can just be unilaterally rewritten at any point, without obtaining fresh consent from the user, aren’t worth the pixels they’re claiming to be inked in.
Let’s also not forget this is the same company that, back in 2012, combined around 60 separate privacy policies into a single overarching policy and Google account covering multiple, distinct web products — thereby, also in a fell swoop, collapsing multiple user identities which, prior to then, people had been able to maintain (to try to control what Google knew about them).
Google’s push where privacy is concerned is pretty clearly one way — away from individual agency and control, and towards it being able to join up ever more personal data dots which its ad-targeting business can use.
With the Chrome update the company has rubbed out yet another privacy firewall for users wanting to fight its amassing of conglomerate profiles of their online activity.
And even with the after-the-fact switch that’s being announced now (and only after a critical backlash), which from next month will let settings pros disable the default Chrome auto-link, the company’s general direction of travel does not respect user agency at all. Quite the opposite.
Google seems to be trying to make consent itself an after thought — i.e. for the few who know to poke around in the settings. Instead of what it should be: An affirmative, baked in by design to ensure privacy is available for everyone.
Google’s push to erode privacy looks likely to bring it problems in Europe, where a tough new regional data protection framework makes privacy by design and default mandatory.
Failure to comply with this element of the GDPR can attract fines as large as 2% of a company’s global annual turnover — which would not be a trivial sum for a company as revenue-heavy as Alphabet.
And, as others have pointed out, Google making a major change to how Chrome handles sign-ins does not look like business as usual for the product. So the company would have been well advised to have carried out a privacy impact assessment — to ensure the changes it’s making were compliant with GDPR.
We’ve asked Google whether it carried out a data protection impact assessment (DPIA) ahead of pushing out the change to sign-ins on Chrome 69 and will update this report with any response. Or whether it’s handling sign-ins differently in the EU (which does not seem to be the case).
We’ve also asked if it will commit to making any DPIA for Chrome public.
A spokesman acknowledged receipt of our questions but at the time of writing the company had not sent any answers.
There’s another potentially problematic issue for Google here too, vis-a-vis GDPR, because according to Koch’s blog post it is not currently clearing Google auth cookies when cookies are cleared by the user.
He writes that it will “change this behavior that so all cookies are deleted and you will be signed out”. But that’s going to take about a month.
In the meanwhile a user action (clearing cookies) is not resulting in Google clearing all cookies — which looks like a pretty clear violation of EU privacy rules, albeit temporarily (if it’s going to fix it next month).
We also asked Google about its failure to clear all cookies.
Safe to say, Google’s privacy hostile actions look sure to attract close scrutiny in the EU where privacy is a fundamental right.
But the company is also set to face questions on the topic in a Senate committee hearing today — and is expected to acknowledge that it has made “mistakes” on privacy issues, according to documents seen by Reuters.
Though it will also apparently claim it has “learned, and improved our robust privacy program”.
Certain Chrome users would probably take a very different view.