Forcing users to log into Google Chrome without consent raises privacy concerns

Just because you are surfing via Chrome doesn’t mean you opted to give up your privacy. But the years of being able to use Chrome without logging in are over. Chrome 69 came out at the start of September, shortly after Chrome turned 10. That is when Google pushed out changes without giving Chrome users a heads-up; you are now automatically logged into Chrome when you log into any Google site.

“Chrome’s new user-unfriendly forced login policy” prompted Matthew Green, a well-known cryptography expert and Johns Hopkins University professor, to explain “Why I’m done with Chrome.” The best answer for the change that he was able to get from Google is that it resolved a problem about shared computers. If multiple people sharing a computer use the same Chrome browser, data will not be sent to the wrong person’s Google account.

Chrome calls this new system Sync. Although Chrome has had a Sync option for years, it was separate from logged-in Google accounts. You could log into a Google service and not log into Chrome. But now when you click on your avatar in the upper right corner of Chrome, you see a Sync option. Syncing still requires a user to click, but is that a clear distinction?

Green refers to this change as a “dark pattern,” as “Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it.”

Google changes Chrome privacy policy

His post did get a reaction by Google, such as the decision over the weekend to change the Chrome privacy policy to reflect the new changes; Chrome’s previous privacy policy included a section for “Signed-in Chrome mode.” The new privacy policy dated today, Sept. 24, 2018, has done away with “Signed-in Chrome mode” and replaced that section with “Signed-in, Synced Chrome mode.”

As more privacy and security experts started to chime in about the Chrome changes, Adrienne Porter Felt, Google Chrome team manager and engineer, fired off a series of six tweets in an attempt to clear up any confusion.

Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you’re “signed in” whenever you’re signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/

— Adrienne Porter Felt (@__apf__) September 24, 2018

Her biggest point boiled down to “signing in does NOT turn on Chrome Sync.”

If you want to turn on Sync, it’s an additional step after you’re signed in. Sync uploads your browsing history to Google so you can access it across devices. Sign-in by itself does NOT do that. https://t.co/t2pPjiqkVe 5/

— Adrienne Porter Felt (@__apf__) September 24, 2018

Still, with Chrome having over half of the browser market share, the explanations did not appease everyone who was concerned about the automatic Chrome sign-in. More than one person brought up the fact that the previous version of Google’s Code of Conduct long promised, “Don’t be evil,” but that promise has been missing for months — at least since May 2018.

Chrome login workaround

If you want to use Chrome but don’t want to be automatically logged into the browser, then consider using this workaround:

Paste “chrome://flags//#account-consistency” in Chrome (without the quotation marks) and change the selection from “default” to “disabled” or one of the other options that suit you.

Ms. Smith