This article originally appeared on ZDNet.
Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.
According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system —also known as Sync.
This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers.
Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.
SEE: Google Chrome pushes the web toward HTTPS (CNET)
Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy.
That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click.
Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.
When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person's Google account.
SEE: How to use Microsoft Edge on your mobile device (TechRepublic)
But despite this clearly logical decision behind this move, users are still angry. First and foremost, they are angry because they don't have this ability to decide when they log into their browser, and second, they are angry because Google had failed to tell them about this new move.
Google Chrome 69 was released on September 5, more than two weeks ago, and if you haven't been probing the depths of Twitter, Mastodon, or Hacker News, you wouldn't have known of this change in Chrome's behavior.
Almost all users who never used Chrome's Sync feature before might find it surprising that they are logged into Chrome right now, as they read this article, if they've also logged into a Google account somewhere on Gmail, YouTube, or any other service.
But the criticism doesn't stop here. Matthew Green, a well-known cryptography expert and professor at Johns Hopkins University, pointed out in a blog post today that Google has also redesigned the Sync account interface in a way that it is not clear anymore to users when they are logged in or what button they should push to start syncing.
He calls this change a "dark pattern," a term used to describe user interfaces that have been intentionally designed to be misleading.
In its current form, the Sync interface is indeed misleading, and a user might be one wrong click away from giving all their browser data to Google by accident.
But some also suggested that Google's move might have been planned well in advance. Chrome 69 was a major release for Google, coming with many new features, including a new user interface. Some claim that Google hid this new change in the Chrome 69 release, hoping that nobody would spot it among all the goodies the company added to its browser, hence, the reason why it did take over two weeks for Google aficionados to spot the update.
Though this policy update may satisfy some lawyers in Google's cozy offices, this does not address the issue that Google has modified a Chrome feature without telling users, and that modification might lead to serious privacy breaches.
Microsoft has suffered a major reputational blow due to its initially hidden Windows 10 telemetry practices, and so has Facebook in the recent Cambridge Analytica scandal. Twitter is also known to be flooded with bots, fake news, and political influence campaigns, and Reddit is a home for communities dedicated to abuse, harassment, and physical threats.
Through the years, Google has managed to keep a shiny reputation, despite being known to be the biggest data hoarder around. It's usually shady behavior and small things like these that bring down a company's reputation. Oh, wait!
As one of the ZDNet readers pointed out earlier today on Twitter, users can disable the sneaky auto-login behavior by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.
- Google fixes Chrome issue that allowed theft of WiFi logins (ZDNet)
- Google investigating issue with blurry fonts on new Chrome 69 (ZDNet)
- Chromebooks: A cheat sheet (TechRepublic)
- Google restores 'www' to Chrome URLs after user backlash (ZDNet)
- Windows support scam uses evil cursor attack to hijack Google Chrome sessions (ZDNet)
Catalin does not own any stock or cryptocurrency, does not have affiliations with cyber-security firms, and has never published paid-for or sponsored articles.
Catalin Cimpanu is a security reporter at ZDNet, where he covers cyber-security, data breaches, hacking, and other related topics. He previously served as security reporter for Bleeping Computer and Softpedia. Catalin is based in Romania.