It’s been a tough few weeks for Google and the company’s media operation were presumably hoping that the recent update to their Chrome web browser would pass without controversy.
After all, the Chrome 69 update was the 10th-anniversary release and so surely a time for celebration rather than crisis management?
Wrong! In the past few days, privacy advocates have cottoned on to a seemingly innocuous feature change, which has major privacy implications.
Chrome’s ‘Forced Login’ policy
The discovery was made by Matthew Green, a cryptography professor at John Hopkins University, who spotted what he termed as a new ‘forced login’ policy.
In a blog post entitled ‘Why I’m done with Chrome’, he explained how he spotted that after logging into his Gmail account using the Chrome browser, the browser remained logged into his account even after he had signed out of Gmail.
Green had been consciously not logging into his Google account when using Chrome for years. He was one of many users who did this to avoid Google collecting his browser details and linking them to his Google account. He saw this enforced change as a betrayal of user trust.
As Green put it on his blog, “if you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?”
He also questioned whether Google was likely to make other policy changes that infringed on user privacy when the fuss about this one has died down and hoping no-one noticed.
Green was also extremely critical of the way in which Google asks users for permission to collect their browser data. He argues that the way Google asks the question is deliberately designed to obscure the fact that you are agreeing to let Google harvest your data.
The term Google uses for this is ‘sync’, and what they ask is whether users want to sync and personalize Chrome across all their devices. Nowhere does it mention granting permission for Google to collect user data and link it to a user’s account.
Google’s speedy climbdown
Google tried to downplay the issue to start with. But the response issued by Google Chrome product manager Adrienne Porter Felt only really served to exacerbate the problem.
Writing on Twitter, she claimed that Google had made the policy change to Chrome in order to prevent users from thinking they had signed out of Chrome when actually they had not. The implication of this seems to be that this has been happening for years and it is only now Google has seen fit to make it clear users about it.
It is significant that, rather than dig their heels in, Google subsequently backed down extremely quickly. In a blog post put up on Tuesday, they confirmed that this policy would be reversed in the next Google update.
In the post, another Chrome Product Manager, Zach Koch, confirmed that from the next update, signing into a Google website like Gmail will no longer automatically sign users into Chrome too.
He also added that they would be adding new options and more accurate explanations to make it clearer to users what the ‘Sync’ option actually involved.
The new change will be seen In Google 70, which is scheduled to be released in mid-October. For privacy-conscious Chrome users, it cannot come fast enough.
Why Chrome privacy really matters
It might seem to some readers that this is a relatively minor detail that is not worth getting worked up about. But when you put it into context, it is a really big deal.
Despite only being ten years old, Chrome is already the dominant browser with a market share of more than 60% on both desktop and mobile devices. That means any changes which affect user privacy are going to affect a large number of internet users around the world.
With market dominance comes social responsibility and Google must expect that when they make changes that have an adverse effect on user privacy, these will be picked up on.
Criticism in recent weeks over external apps accessing Gmail, the privacy of kids on YouTube, and Google’s plans to return to China and comply with Communist Party censorship and surveillance should have made that abundantly clear to them.
Internet users are no longer ignorant of the importance of user privacy and the dangers of letting companies like Google hoover up their personal data.
More and more are taking steps to protect their privacy by using tools like a VPN. And they are no longer willing to sit idly by while companies like Google exploit their privacy and their profit from their personal data.