Chrome 69 Is a Full-Fledged Assault on User Privacy

Chrome 69 Is a Full-Fledged Assault on User Privacy

Maybe Microsoft had a point.

Eleven days ago, we excoriated Microsoft for its now-scuttled plan to add “warnings” to Windows 10 that would nudge users away from using Chrome and Firefox and towards Microsoft’s own browser, Edge. After ferocious outcry, Redmond backed away from this plan, rightly perceiving the issue as a bridge too far when it comes to spreading FUD about its competitors in an attempt to boost its browser’s market share. But Google’s most recent behavior with Chrome 69 isn’t doing it any favors, either, and the company has adopted some new approaches that blur the difference between what it means to be logged into Chrome or not, overriding previous user settings in the process. The company’s explanation for these behaviors, furthermore, does not hold water.

Let’s start at the beginning. Prior to Chrome 69, Chrome offered an optional sign-in feature. This feature had nothing to do with your various accounts on services like Gmail or YouTube — instead, it allowed Google to synchronize things like cookies and bookmarks across all of the devices on which you used Chrome services. Many people embraced the feature, but Google kept it opt-in. The old login icon looked like a blank outline of a person. When clicked, it displayed the following message:

Chrome 69 Is a Full-Fledged Assault on User Privacy

But now, Google has changed this message. Download and install Chrome 69, and the browser now treats this sign-in option as exercised if you log into any Google account. In other words, Google now treats the Chrome sign-in and the Google account sign-in as equivalent.

There was no reason to make this change. The stated rationale for this change, as expressed by Google engineer and manager Adrian Porter Felt is as follows (thread linked below, but we’ll summarize:)

My teammates made this change to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device. 3/

— Adrienne Porter Felt (@__apf__) September 24, 2018

This makes superficial sense. The idea is that people thought they were signing out of Chrome when they were actually signing out of a content area. When devices are shared, this could lead to people with cross-cookie contamination (someone else’s cookies and preferences being loaded instead of your own). And sure, that’s a problem. But as cryptographer and professor Matthew Green points out, this is only a problem for people who sign into Chrome in the first place. If you don’t sign into Chrome, Google’s “fix” didn’t fix anything for you. It broke things. It’s leading to confusion precisely because Google no longer differentiates whether you’re signed into the browser or not. Now, when you sign into Chrome (because now you’re forced to sign into Chrome), you see a new menu in which it isn’t clear what the big blue “Sync as Matthew” button even does. Does it mean you are synced already, or is it inviting you to initiate a sync?

Image by Matthew Green
Image by Matthew Green

These changes are all part of what’s known as a dark pattern. If a pattern is defined as a regularity in the world (designed or naturally occurring) that repeats in a predictable manner, a dark pattern is an attempt to trick users by designing interface options that look like the options users expect to see. The following is an example of a dark pattern from Google’s privacy settings that we covered back in 2016:

Chrome 69 Is a Full-Fledged Assault on User Privacy

Notice how the boxes work. The information in the Photos, YouTube / Videos, +1, and Reviews tabs are shared with others if you put a checkbox in those boxes and kept private if you remove the check. But putting a check in the last box — the box marked “Don’t feature my publicly shared Google+ photos as background images on Google products & services,” you are giving Google permission to do exactly that. First, the company trains you to expect the UI to act a certain way, then it changes the actions of the UI mid-stride so you pick the action it wants you to choose rather than your actual intended result.

As Green writes:

Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data.

It’s not clear if clicking “Sync” is all you need to do or not. Some have seen the Sync feature fully activate from clicking it once, but two-factor authentication may have been involved in that step.

Hmm, in dev, I believe I just click on "sync as" in the user switcher and that turns on all sync settings – I get a "congrats" screen with an "undo" button. Not sure about stable.

— lcamtuf (@lcamtuf) September 22, 2018

But this kind of pattern deployment is fundamentally toxic to trust. It’s particularly toxic for a company that’s proven so willing to end-run around user expectations, including promising two years ago not to track users who turned off location tracking, only to later admit that hey, it’s still tracking users who turn off location tracking. Google has also acknowledged allowing third parties to sweep Gmail for data as well.

On a personal note, it’s deeply unsurprising to see Google do this. Green points out that Google is promising to respect a user’s sync settings after deliberately breaking the conventions that end users were using to tell Google they didn’t wish to sync their software across devices. But this is unsurprising. It’s exactly what Google did years ago with its own opt-out system for automatic updates. The company establishes a mechanism by which users can opt out of something, then breaks that mechanism if too many people opt out of it. We’re supposed to trust that Google will respect the decision of people who don’t want to sync their data with its servers when it just broke the mechanism by which people previously notified it that they did not wish to synchronize with its servers? Muddying the waters with a login that isn’t a login and a “Sync” panel that can seamlessly activate a feature users don’t want aren’t improvements — they’re just as scummy as the games Microsoft played with its Windows 10 update tool near the official end of the free Windows 10 rollout period.

This kind of behavior is profoundly damaging to any conception of trust. Combined with the endless privacy scandals coming out of Google and the company’s willingness to help the Chinese government spy on its own people and it’s worth asking why we respect this company at all.

Continue reading

Become a Full-Fledged Excel Data Master with This Training That’
Become a Full-Fledged Excel Data Master with This Training That’

Become an Excel data pro with the Microsoft Excel Data Analysis & Dashboard Reporting bundle for just $19.99—90% off for a limited time.