Chrome has established a reputation for security, and when Google makes changes to the interface or features, other browser makers typically follow. Recent changes to how Chrome treats logins has some people worried about future privacy implications, but that doesn’t automatically put the browser in the “do not use” bin.
The latest brouhaha came when privacy-conscious users noticed Chrome’s 10th anniversary release appears to sign the user into the browser when the user logs into a Google service such as Gmail. This was a noticeable change, because in the past, it was possible to log into services such as Gmail and Google Drive without signing into Chrome. Now, the same action displays the user’s profile picture in the Chrome window. Users who did not want their browsing history, and bookmarks uploaded to Google servers or synced across multiple devices could avoid that by not signing in. It appeared that Google was treating the user’s logging into the Google service as permission to sign into Chrome, thus ignoring the user’s specific action not to do so.
“From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you,” Matthew Green, a cryptographer and Johns Hopkins University professor, wrote in “Why I’m Leaving Chrome."
Chrome engineering manager Adrienne Porter Felt clarified over Twitter that even though visually, it looked like the user was signed into Chrome, it was an in-between state where syncing and enhanced sharing was not turned on. There is no difference in the amount of user information and browsing history being sent to Google servers in this in-between state and the previous not-signed-in state, Porter Felt said.
“My teammates made this change to prevent surprises in a shared device scenario,” Porter Felt wrote on Twitter. “In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device.”
Could Google have been upfront about the change, instead of waiting for privacy-conscious users to start asking why they can no longer stay signed out of Chrome? Sure. Does it seem a little havey-cavey that the change is “fixing” a problem that would never have affected users who were signed out in the first place? Certainly. Does the fact that the privacy policy—which used to be straightforward—get complicated because it is no longer just “basic browser mode” and “signed-in Chrome mode?” Definitely. Is it complicated to turn off this behavior? Unfortunately.
Is the change significant enough to stop using Chrome? Like practically everything in security, it depends.
While privacy-conscious users may not like the in-between state and feel that Google is just waiting for people to stop paying attention before rolling out more changes to grab user data, privacy isn’t the only reason to use Chrome. The Chrome team has spent years focusing on making a secure browser, such as its multi-year effort to broaden HTTPS usage on the web and change how HTTP pages are marked in the browser. The security drumbeat over the past few years have focused on turning on two-factor authentication, and moving away from SMS-based options. Yet for users relying on hardware keys such as Yubikeys, Chrome was pretty much their only choice until a few months ago. Mozilla added support for security keys in Firefox 60, but it isn’t enabled by default and requires user to manually turn on the feature via about:config.
“There are good reasons for using the browser. Let’s assume the [new] feature is needed,” wrote security researcher Lukasz Olejnik.
Olejnik framed the current situation as a communication issue, and one with potential implications under the new European data privacy law GDPR. First of all, the privacy policy was not consistent with the changes and did not reflect the fact that syncing wasn’t part of signing in to the browser. Google has updated its privacy policy after the furor to clarify the change.
“On desktop versions of Chrome, signing into or out of any Google web service (e.g. google.com) signs you into or out of Chrome. Sync is only enabled if you choose. To customize the specific information that you synchronize, use the 'Settings' menu. You can see the amount of Chrome data stored for your Google Account and manage it on the Chrome Sync Dashboard."
Google addressed the possibility of users not being certain of their login state by making the interface consistent across the web and the browser, but created other areas of confusion. Green called the new interface a dark pattern because it is easier for someone to unintentionally activate sync, and Olejnik concurred that it was possible to “deliberately-inadvertently” turn on sync.
The change in Chrome’s login feature is high impact, as it affects lots of users, concerns user expectations of how software works and defaults, and changes how the browser works. “Well-designed user interfaces are of particular concern,” Olejnik wrote, noting that GDPR specifically states that software needs to be designed with consideration of data protection—by design and by default. Google had a responsibility to align user expectations with what actually happens with the browser.
“Perhaps Google has designed the new login feature well, considering the user privacy under the hood, but not accounting in the user interface. However, we are unable to know about this of course—it is not explained anywhere,” Olejnik said.
Software changes inevitably will cause users to question the necessity of the changes. The question is whether or not the potential for abuse is enough reason to stop using what is, currently, a good enough tool.