- A security expert says Google quietly made important changes to its Chrome web browser’s login requirements.
- The expert, Matthew Green, said in a blog post on Sunday that Google was logging users into Chrome without their knowledge.
- The changes could make it easier for users to unwittingly turn over their browsing history to Google, Green said.
- The company acknowledged the changes but stressed that users needed to consent to a sync before their browser data could be transferred.
For years, Google has given users of its Chrome browser the option of surfing the web without logging in.
But a security expert says Google quietly changed its requirements so that when a user logs in to a Google service such as Gmail, Chrome will automatically sign into their account.
Google tucked the new login requirements into the latest Chrome update without notifying users, Matthew Green, a cryptography expert who teaches at Johns Hopkins University, said in a blog post on Sunday.
The blog post, titled “Why I’m done with Chrome,” began generating debate on Sunday evening and appeared to send Chrome’s managers into damage control.
By being logged in, Chrome users could unwittingly send their browser data to Google, according to Green. He added that Chrome managers told him that just being logged into Chrome didn’t mean a user’s browsing information would be sent to Google – they would still need to activate the “sync” feature before a data transfer could occur.
This is where Green, who said he quit using Chrome because of the change, reserved some of his harshest criticism of Google. He called the Chrome sync-consent page a “dark pattern,” a term describing a user interface designed to deceive or mislead people.
“Now that I’m forced to log into Chrome,” Green wrote, “I’m faced with a brand new menu I’ve never seen before.” He suggested it could lead users to mistakenly consent to the sync, adding that before the login change, Chrome users had to key in their credentials to log in and then could consent. Now, users are a single – possibly accidental – click away from turning over their browsing history to Google, Green said.
Google referred Business Insider to a series of tweets posted early on Monday from Adrienne Porter Felt, a Chrome engineer and manager. In one tweet, she confirmed that Google had changed the login procedures. She also stressed that though users are logged in to Chrome, they must still consent to a sync before their data could be transferred to Google.
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you're "signed in" whenever you're signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/
— Adrienne Porter Felt (@__apf__) September 24, 2018
Green said it was “nuts” for Google to suggest users are safe because of the sync-consent page.
Green wrote: “If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?”