Google’s surprise change to a privacy setting in its popular Chrome web browser is raising hackles from privacy advocates and some users of the product who say that the company has not been upfront enough.
The change, which was little noticed until a security researcher blogged about it on Sunday night, has left the internet company fighting a familiar criticism: that its appetite for data to fuel its online ad business trumps its concerns about its users.
Matthew Green, a security and cryptography researcher from Johns Hopkins University blogged about the change Google quietly made as part of the browser’s latest update, Chrome 69. Green wrote that from now on, when people login in to YouTube, Gmail or any of the company’s properties, they will automatically be logged in to Chrome at the same time.
Late on Sunday night, Google responded to the growing controversy by confirming the login change.
This is dramatic change and a possible threat to users’ privacy, according to Green.
“Google believes they can make these changes without consequence,” said Marc Rotenberg, the president of consumer privacy advocacy group EPIC. “The privacy model is simply broken. Companies are constantly changing the rules of the game.”
What’s all the fuss about?
For years, Google allowed users of its Chrome browser to surf the web without logging in through a personal Google account. Chrome users didn’t have to worry that their web browsing history would be included with the other personal data Google maintains about registered users of its products. For that to happen, a user would have to sign in to Chrome and to consent to a “data sync” between Chrome and the other Google products they use.
Now that Google logs people in to Chrome automatically, managers have removed one of those steps of protection, Green wrote. What’s more, he said, a new and “confusing” sync-consent page, makes it easy for users to mistakenly give up their browsing data to Google.
Eric Lawrence, a former Google employee who worked on Chrome but is now employed by rival Microsoft, said he doesn’t see any reason to be alarmed.
“Yes, Chrome has streamlined the opt-in to the browser’s “Sync” features, such that you no longer need to individually type your username and password when enabling Sync,” Lawrence wrote. “Whether you consider this “Great!” or “Terrible!” is a matter of perception and threat model.”
Lawrence points out that when someone clicks the consent button, they will then get a pop-up that informs them of the information they are agreeing to share with Google.
In that prompt, Google notifies users that the company will collect info from users’ “bookmarks, passwords, history and more on all your devices…Google may use content on sites you visit, plus browser activity and interactions to personalize Chrome and other Google services like Translate, Search and ads.”
‘My heart skips a beat’
Plenty of people wrote that they don’t see this as a benign change, including former Googlers. Michał Zalewski, is a computer security expert and former Google employee. He sided with Green that Google has made Chrome less safe.
“Don’t like to pile on,” Zalewski wrote on Twitter, “but I did rely on that as a visual confirmation that the browser is not doing something I didn’t want. Now, my heart skips a beat every time I see the profile-switch menu or chrome://settings – and it’d only take one mis-click to actually start syncing.”
Huge changes in these updates very helpful http://bit.ly/2NBhAMC Dont miss it