- A security expert has discovered that Google had quietly made important changes to Chrome’s login requirements.
- Matthew Green spotted that Google was logging them into Chrome without their knowledge.
- Google’s changes also made it easier for users to unwittingly turn over their browsing history to Google.
- The company acknowledged the changes late on Sunday, but stressed that users needed to consent to a sync before their browser data was transferred.
For years, Google has given Chrome users the option of surfing the web without logging in.
But on Sunday, a security expert wrote that Google had quietly changed the requirements so when users login into a Google service, such as Gmail, Chrome will automatically sign the browser into their account without consent.
Google tucked the new login requirements into the latest Chrome update without notifying users, Matthew Green, a cryptography expert and professor at Johns Hopkins University, said in a blog post on Sunday.
The blog post, titled “Why I’m done with Chrome,” began generating debate on Sunday evening and also appeared to send Chrome’s managers into damage control.
By being logged in, Chrome users could unwittingly send their browser data to Google, according to Green. He disclosed that he had contacted Chrome managers and they had told him that just being logged into Chrome didn’t mean a user’s browsing information would be sent to Google. Users would still need to activate the “sync feature” before a data transfer occurred.
And this is where Green, who also said he had quit using Chrome, reserved some of his harshest criticism for Google. He called the Chrome consent page a “dark pattern,” a common term that refers to a user interface designed to deceive or mislead people.
“Now that I’m forced to log into Chrome,” Green wrote, “I’m faced with a brand new (sync consent) menu I’ve never seen before.”
He suggested that this could lead users to mistakenly consent. He added that prior to the recent login change, a user had to key in their credentials to log in and then consent to the sync. Now, users are a single, possibly accidental, click away from turning over their browsing history to Google.
Google referred Business Insider to a series of late-night Twitter posts from Adrienne Porter Felt, an engineer and manager at Chrome.
In one tweet, she confirmed that Google has changed the login procedures. She stressed that though someone is logged on to Chrome, they must still consent to a sync before their data is transferred to Google.
Green said it is “nuts” for Google to suggest users are safe because of the sync-consent page.
Green wrote: “If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome, (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?”
Get the latest Google stock price here.
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you’re “signed in” whenever you’re signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/
– Adrienne Porter Felt (@__apf__) September 24, 2018