A security researcher recently made a startling discovery when it comes to Google’s Chrome browser. Normally, Chrome gives users the option of being logged in or not as they browse the web. Now, however, Chrome login is automatic—Google signs users in without their consent when they log into a service like Gmail.
The new practice was quietly included in a Chrome update that rolled out a few weeks ago and isn’t welcomed by all. Google didn’t notify users of the switch, which means that some users may be sending Google data on their browsing habits without their knowledge or consent.
“Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into—entering my Google credentials and signing into Chrome—into something I can now do with a single accidental click,” cryptographer and Johns Hopkins University professor Matthew Green wrote in a blog post titled “Why I’m done with Chrome.”
Green outlines why this automatic login behavior is a bad idea and it boils down to two key ideas: The first is that the Google Chrome team has been unable to provide clear rationale for the change, he says. Second, it has big implications for user privacy and trust.
When questioned about the new Google Chrome login scheme, Chrome managers told Green that just because a user is logged into Chrome doesn’t mean their activities are being tracked by Google. Users need to first activate a sync feature for this to take place. Google Chrome engineering manager Adrienne Porter Felt elaborated on this publicly in a series of tweets Sunday evening.
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you're "signed in" whenever you're signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/
— Adrienne Porter Felt (@__apf__) September 24, 2018
However, Green contends that this sync consent menu was designed to be misleading so users end up sharing their data with the company. Previously, Chrome users need to enter their credentials a second time before enabling this feature; it now only takes a click.
Among other questionable security practices and trust violations a study earlier this year found that Google can collect user data while you’re in incognito mode in certain situations.
If you’re a Chrome user, you can tell whether you’re logged into Chrome or not by whether your account avatar is present in the upper right as you browse. By tapping the three-dot icon next to your account image, you can also sign out of your Chrome account.
- The 50 all-time best Google Chrome extensions
- Google could collect user data while in incognito mode, study finds
- How to get a Google Voice number
H/T Business Insider