Google has found itself under fire over a recent change the company made to the way users sign into its Chrome browser. Released in early September, Chrome 69 logs the user in automatically at the moment they sign in to any Google service. The change predictably led to a backlash from privacy-concerned members of the community. Matthew Green, a cryptographer and professor at John Hopkins University, published a lengthy blog post outlining why the change ultimately made him decide to part ways with Chrome.
Although the change looks big-brother-type scary at a first glance, it might not be too harmful. The first impression some users had when seeing the new behavior — that the browser would start sending their data to Google's servers right away — has since turned out to be mistaken. Google's Adrienne Porter Felt clarified in a series of tweets that the user would need to perform two extra clicks in order to start uploading their data to the cloud. The new behavior, she wrote, is there for the situations when "people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device."
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you're "signed in" whenever you're signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/— Adrienne Porter Felt (@__apf__) September 24, 2018
Simply speaking, Google says it wanted to avoid situations where you could log into its services on a shared device, while the browser is logged in to someone else's account. This could lead to cookies and other browsing data being synchronized under an account you have nothing to do with.
The explanation has left many people still wondering why Google has not mentioned the new browser login behavior prominently in the announcements leading up to the launch of Chrome 69. The new version of the browser has brought a slew of new features and a redesigned UI, most of which had been thoroughly described in online materials supplied by Google — all but this one.
Quietly inserting a forced browser sign-in into Chrome, even though possibly done for good reasons, doesn't add any trust points for Google in an increasingly privacy-driven environment. Some critics say this step could lead to the company actually forcing users to sign in to Chrome by default in the future, but there's no factual support to this suspicion.
The Chrome team at Google is currently updating the browser's privacy notice to make the new sign-in process more clear to the users, Felt stated in her tweets. In the meantime, it's also possible to disable the forced sign-in by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.
Update (9/26): Google has announced that in Chrome 70, it will include an option to disconnect browser sign-in from signing into its websites, as well as tweaks to cookie clearing and a new Sync UI that offers a clearer explanation of what clicking the button will do.