Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Google Privacy

Google Secretly Logs Users Into Chrome Whenever They Log Into a Google Site (zdnet.com) 179

Catalin Cimpanu, writing for ZDNet: Starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system -- also known as Sync. This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers. Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy. That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click. Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.
Well-respected cryptographer Matthew Green was disappointed by the move. In a post, he wrote: [...] In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes down to basically four points:
1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a hash out of Google's own privacy policies for Chrome.
4. Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.

This discussion has been archived. No new comments can be posted.

Google Secretly Logs Users Into Chrome Whenever They Log Into a Google Site

Comments Filter:
  • two hands (Score:5, Informative)

    by cascadingstylesheet ( 140919 ) on Monday September 24, 2018 @09:03AM (#57367186) Journal

    On the one hand, yeah, blech.

    On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?

    • Exactly. Furthermore, only a fraction of people care, and apparently even those don't care enough to use an open source browser.
      • by Anonymous Coward

        leaving a car on the street with the trunk open is not implicit permission to steal luggage from it. Actually in many jurisdictions stealing in such a situation counts as an aggravation, the opposite of an excuse.

        The same goes for google. Even if I don't get out of my way to protect my privacy using technological tools, that's no excuse for them to take advantage.

        One of the tenets of western culture for which we hold ourselves in such high esteem is that it's not right for the strong to take advantage of t

        • That is really comical if you believe that about "western culture". Rather cute. Anyhow, apparently western culture lacks reading comprehension. I never said they "deserved it". Read it again.
        • Re: (Score:2, Flamebait)

          by Falos ( 2905315 )

          >vulnerable private property is still private
          You clicked Agree.

          This fight isn't on legal or even moral grounds anymore. And privacy isn't a binary condition - you're up against ten-thousand services and a million databases, hundreds of different forms of hoover/pipe/fingerprint/metric acquisition.

          It's like you're bitching about a specific strain of disease. You wash your hands and avoid rotten food as general defenses, not targeted ones. Even those of us with "special tools" aren't immune, we're only red

          • Privacy is and always was an illusion.

            The only way to maintain privacy is to withdraw to a cave in the middle of nowhere, and hope that nobody finds you. The only thing we can do is manage the illusion of privacy.

    • Tied to a platform (Score:5, Interesting)

      by sjbe ( 173966 ) on Monday September 24, 2018 @09:22AM (#57367306)

      On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?

      Definitely. One of the reasons I don't use or install Chrome even though I do use some Google services. I use Firefox in part because it's the only one of the major browsers to not be owned by a major tech company. Chrome seems to work fine but compared with Firefox it's at more or less a dead heat technically speaking and performance-wise (for my purposes anyway) so why tie myself tighter to Google than absolutely necessary? That's not an argument that Firefox is perfect (it isn't) but it seems to be the least worst option in this regard.

      • by Gr8Apes ( 679165 )
        Oh, I use Chrome, for the login to google for Android development I need. It's the only thing it's used for. That keeps my other browsers clean from google turds and easy to keep clean.
      • I use Firefox in part because it's the only one of the major browsers to not be owned by a major tech company

        You could use Chromium or Vivaldi and be even less corporate influenced, but still chrome compatible.

        • You could use Chromium or Vivaldi and be even less corporate influenced, but still chrome compatible.

          Maybe but I don't care at all about compatibility with Chrome and don't see any particular value in that. I want a web browser that works on the sites I visit, is cross platform, has strong privacy controls, is actively developed, and isn't a security train wreck. Edge and Safari are out for me since they are one platform only and one company only. I don't really trust the various forked browsers related to Chrome and Firefox and other "minor" browsers to remain viable and supported long term though I'm

    • by Anonymous Coward

      On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?

      No, we are well aware that Google tracks folks across the Internet and is able to track even more when we log in to use their services. This is why we choose not to log in to their services across the board.

      Now some of us must log into Google at some point. For example, my employer uses Gmail as their mail provider and so on occasion when Thunderbird absolutely can not do what I want (e.g., Block a specific sender), I must log into Gmail through its web interface. If Google is going to start treating tha

  • Not news (Score:5, Insightful)

    by fluffernutter ( 1411889 ) on Monday September 24, 2018 @09:05AM (#57367190)
    This isn't really news. Chrome has sent more information to Google than other browsers for ever. Why people use it is beyond me.
    • Developer tools is why many use it... * I, personally, have used FF since it exists :P
    • Re:Not news (Score:5, Interesting)

      by GameboyRMH ( 1153867 ) <gameboyrmh.gmail@com> on Monday September 24, 2018 @10:08AM (#57367590) Journal

      Fun fact, Chrome for Android sends the fine details of the device you're using in the user agent string, down to the device model, and as far as I can tell there's nothing you can do about this other than not using Chrome for Android.

      • by Gr8Apes ( 679165 )
        Why are you surprised? You should assume that when using chrome any website you touch is reported back to google, including page links you hit, something they're extremely interested in.
        • Why are you surprised? You should assume that when using chrome any website you touch is reported back to google, including page links you hit, something they're extremely interested in.

          Do you know what a user agent string is?

          The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.

          https://developer.mozilla.org/... [mozilla.org]

          Sheesh. FUD much?

      • Fun fact, Chrome for Android sends the fine details of the device you're using in the user agent string, down to the device model

        So what. The Android version and device type are things that might actually be helpful to a service when rendering a page. You know, the whole point of the UA.

        • Strongly disagree, neither should be relevant to anything sent over a webpage, which runs in an OS-independent and largely hardware-independent web browser. It is traditional for the UA to include a rough OS version, although the OS should be completely irrelevant to web contant, but Chrome doubles down and delivers unnecessarily detailed information, down to minor OS revision. Sending the exact model of the device takes this lunacy to the greatest extreme possible short of sending hardware serials, how wou

          • how would you defend this pointless privacy violation?

            You do realize the UA is sent to the requested website, not to Google, right? I guess Google could be sending the same information to themselves, but the existence of the Android version in the UA isn't your smoking gun, sorry.

            But anyway, I guess you are going to need to explain how it's a privacy violation for sites I visit to know what sort of mobile device I use. The website already knows the OS, version of the OS, browser vendor, browser version, rendering engine, rendering engine version. That's in eve

    • by GuB-42 ( 2483988 )

      The truth is that most people don't care about their personal data going to Google.

      And thanks to the bunch of clowns directing Firefox, Chrome came out as the better browser overall, so people use it.

      • I've never really understood the hate for Firefox. I use it on Macbook Pro, Windows Thinkpads, down to my puny Atom linux box and it always does what it is supposed to. I got fed up with Chrome early on because it seemed to be plain broken with a lot of websites, though that may have got better with time.
  • by rossdee ( 243626 ) on Monday September 24, 2018 @09:09AM (#57367208)

    So how does that work

  • Huh? (Score:5, Insightful)

    by smooth wombat ( 796938 ) on Monday September 24, 2018 @09:09AM (#57367210) Journal
    Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

    What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.

    Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone. This death by a thousand cuts is so last decade.
    • by MrKaos ( 858439 )

      Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone.

      They don't want to wake the sheeple.

    • Re:Huh? (Score:5, Interesting)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Monday September 24, 2018 @09:57AM (#57367536) Journal

      What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.

      Profiles address the issue, but the problem they're trying to address for users who don't use profiles is pretty clear. Jane is using the computer and has logged the browser in to her Google account, and has sync and web history enabled. Dick uses the computer and logs into his gmail account, then does does some browsing, thinking the browser is logged into his account, which has web history disabled. His browser use gets logged in Jane's web history, violating Dick's privacy in two ways: He didn't want his browsing logged at all, and depending on the relationship between Dick and Jane and and what exactly he browsed, may really not want it logged to Jane's account, where she can see it (though if this is the situation, he's an idiot for using a shared browser and not opening an incognito window, because local browser history is a thing).

      Perhaps even worse, I said that Jane has sync enabled, which can include password sync. So Dick may inadvertently give Jane his passwords this way, too.

      My bet (though I don't have any particular knowledge about it) is that this is not a theoretical scenario, that it has actually screwed a number of people which is why it came to the Chrome team's attention.

      Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.

      • Re:Huh? (Score:5, Informative)

        by swillden ( 191260 ) <shawn-ds@willden.org> on Monday September 24, 2018 @11:10AM (#57368078) Journal

        Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.

        Here's a better analysis, by an engineer on the Edge browser team: https://textslashplain.com/201... [textslashplain.com]

      • Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.

        How about: when the user logs into a google account that is different than that which is signed into Chrome, put up a dialog noting this and offering to sign out of Chrome. AFAIK this covers every case that I'm imagining the chrome devs might be "concerned" about, and is very up front rather than being silent and behind peoples' backs.

      • You describe a contrived scenario that doesn't need to happen at all, much less require logging in to Chrome itself to resolve it. Fuck that noise.

    • Comment removed based on user account deletion
    • by Agripa ( 139780 )

      What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.

      It has to do with giving an implausibly plausible justification.

      Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone. This death by a thousand cuts is so last decade.

      Are you mad? Google can't say that!

  • Disable it then. (Score:5, Informative)

    by olsmeister ( 1488789 ) on Monday September 24, 2018 @09:11AM (#57367222)
    Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.
    • by Anonymous Coward on Monday September 24, 2018 @09:24AM (#57367312)

      Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.

      And how do you know that works?

      Because Google's software said so?

      "Yep! We pinkie-promise that we're not snooping on you now!"

      • by ugen ( 93902 )

        I know that Chrome respects cookie settings, so that when cookies are not permitted for *.google.com - they are not being stored or sent (this is verifiable with a variety of tools).

        In my case, that's the setting I've been using. No cookies, no login into any Google account.

        • by Gr8Apes ( 679165 )
          ah, but did you get doubleclick.net, or any of the 100s of other Google owned advertising domains? No? Well, a shit ton of good blocking google.com does you as far as tracking goes. Of course this isn't only true for Chrome.
          • by novakyu ( 636495 )

            That's why you don't use cookies blacklist—you use cookies whitelist; no cookies allowed for anybody without your explicit permission (and you can give permission in a way cookies get wiped out in browser re-start).

    • Sorry, the burden is shifted now so that you must DEFEND why anyone would use Chrome at all. Browsers have a few jobs, but Chrome does so much more!

      On a related note, can anyone recommend a good lightweight XMPP chat client for Android?
    • Better yet: change browser. If a piece of software tries to screw the users over, users shouldn't have to find a way around it: they should junk it. That's what that software deserves.

      OTOH, users shouldn't be expected to keep up with all the news about how their software is trying to screw them, because that would be like a full-time job these days. So let's avoid blaming the victims, which is always a popular sport on Slashdot. Google is at blame here, not the users who weren't so computer-savvy as to disa

      • by Gr8Apes ( 679165 )

        Better yet: change browser. If a piece of software tries to screw the users over, users shouldn't have to find a way around it: they should junk it. That's what that software deserves.

        OTOH, users shouldn't be expected to keep up with all the news about how their software is trying to screw them, because that would be like a full-time job these days. So let's avoid blaming the victims

        Why? Why should we stop blaming people who only eat at McDonalds and supersize everything for being obese? That Google has been a data vacuum since 2005 is obvious and anyone who trusts them regarding privacy since then is an idiot. Google is in business to do one thing: sell advertising.

    • by 4im ( 181450 )

      Even if this works - the default should *always* be safety and privacy. Not spying. It seems most companies have willfully forgotten this.

      For giggles, have a look at the GDPR notifications you get at different places. E.g. at engadget, I earlier today got presented with this. You get information on the cookies etc. they set/collect, and supposedly you should be able to modify settings... no, nope... you accept things the way they are or quit the page... which I did. No, I don't want any of that shit. If you

    • I'm going to have to try this. I wonder if it will prevent the 'logging out' or 'pausing' of the primary browser account when someone logs out of a GMail session. It's been causing me headaches.

  • by Anonymous Coward

    I wonder if this applies to Chromium also.

  • The new Microsoft (Score:4, Interesting)

    by OneHundredAndTen ( 1523865 ) on Monday September 24, 2018 @09:16AM (#57367260)
    Google is rapidly becoming the new Microsoft. No wonder they ditched the "Don't Be Evil" motto.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Google is rapidly becoming the new Microsoft. No wonder they ditched the "Don't Be Evil" motto.

      Well, of course they had to ditch that goal, having surpassed it.

      Being merely evil is beneath Google now. They're aiming for bigger things.

      You know, like colluding with with totalitarian governments.

    • Nothing new (Score:4, Insightful)

      by sjbe ( 173966 ) on Monday September 24, 2018 @09:29AM (#57367328)

      Google is rapidly becoming the new Microsoft. No wonder they ditched the "Don't Be Evil" motto.

      Honestly I think Facebook wins the current edition of the Evil Olympics among tech companies. But maybe Google is just a sneakier player and unfortunately the two of them combined are really hard to avoid if you give half a shit about your privacy. I don't have a Facebook account but I'd be truly shocked if they don't maintain some sort of profile about my activities on the web. I block what I can but it's hard to stop them entirely.

      Any company in a position of power is likely to abuse that power to some degree. IBM did, Microsoft did, and the list goes on. Trust them at your peril.

      • by tsa ( 15680 )

        FB is a clumsy toddler in evilness compared to Google.

        • FB is a clumsy toddler in evilness compared to Google.

          Perhaps. Facebook is definitely more blatant about their evil. Google is harder to avoid. Both companies have WAY too few restrictions on what they can do with data about basically everyone.

      • Honestly I think Facebook wins the current edition of the Evil Olympics among tech companies. But maybe Google is just a sneakier player and unfortunately the two of them combined are really hard to avoid if you give half a shit about your privacy.

        Ummm... with Windows 10, Microsoft jumped squarely ahead of everyone in the Evil department. Neither Google nor Facebook have surveillance and control quite as unavoidable as Microsoft.

        While I use Linux pretty much exclusively at home, at work, I constantly find new ways that Microsoft exfiltrates information. Yes, I am a "Security Engineer".

    • As far as I know, Microsoft doesn't sell my data. I'm a Microsoft customer. I give them money, and they give me software. Google's customers are its advertisers.
  • "In the rest of this post, Iâ(TM)m going to talk about why this matters. "

    What he actually posted was:

    "In the rest of this post, I’m going to talk about why this matters."

    • by novakyu ( 636495 )

      Wait, Slashdot can handle nicod now? Why is it still so roken? \_()_/

      P.S. Preview still looks broken, so maybe this won't go through.

  • To watch netflix and amazon. I downloaded palemoon and use it for basic web access. Google has grown to large to keep from becoming 'evil'.

  • by Chas ( 5144 ) on Monday September 24, 2018 @09:36AM (#57367388) Homepage Journal

    Now, as long as it makes them a buck and increases their huge cache of customer info, there's pretty much nothing they won't sink to.

    Distrust of them is why I've avoided Chrome.

  • Sync? More like STINK.
  • by Anonymous Coward

    and don't sign up for Mozilla Sync either. Many of the plugins for Chrome now work in, or have versions for, Firefox because the plugin engine is similar. If you avoid Mozilla's sync they won't get much of your personal information.

  • Yes, I am removing the Chrome browser from all of my devices. I can't not login to Google because they currently host my email and other cloud presence. I figured that something was up because the login switcher has been acting erratically. I would have to clear cookies for the past (hour,4 hours, etc..) to switch between accounts. Several people have already noted that this move was just evil/greed. So, for the sake of .005% improvement on tracking accuracy and data quality they have really pisse
  • by MobyDisk ( 75490 ) on Monday September 24, 2018 @10:51AM (#57367904) Homepage

    Wait... Chrome didn't always do this? I just assumed, from the first day I saw a coworker "log in" to the browser (a concept that made no sense to me at all) it was just a way to automatically log you in to Google's services. Today, I have to use it because developers around me make web apps that only work on Chrome! It's becoming like the IE fiasco from the early 2000's all over again.

    Chrome exists solely for the purpose of furthering Google's marketing efforts. While everyone is vilifying Apple and Microsoft, Google has quietly obtained control of the OS (Android), the browser (Chrome), search (Google), advertising (Adsense), and the web (Amp). The biggest advertiser on the planet has your phone numbers, your texts, your emails, recordings of your voice, ...

    Google didn't create Chrome because they needed a browser, or they wanted to optimize JavaScript, or they needed a debugger. They wanted client-side control of your machine, and it took a browser and an OS to do that.

    Geeks need to go back to Firefox. It isn't made by an OS vendor or an advertising agency, it doesn't snoop on you, and it is completely open source.

    • by Anonymous Coward

      Geeks need to go back to Firefox. It isn't made by an OS vendor or an advertising agency, it doesn't snoop on you, and it is completely open source.

      I was a big fan of Firefox until they quit focusing on geek things and started focusing on PC culture wars. When a person's politics trumps their qualifications the organization is dead to me. Brave on the other hand is a great browser that is also open source.

    • by Anonymous Coward

      Just wait for the revelation that shows the true size of Google's ocean of data. I expect that what we've been told or what most people have even imagined is not even close to the true magnitude. We exist in a world of identification numbers everywhere you go (card numbers, RFID tags, Wifi access point MAC, bluetooth device ID, web browser cookies, and on and on). The possibilities of correlation of all this data are staggering.

    • by Anonymous Coward

      The reverse is happening of what you think:

      - User explicitly uses Chrome without logging in to Google (in the privacy policy, this actually means they slurp less information from you)
      - User logs into some Google web property
      - Chrome silently logs into that Google account without prompting

  • Sorry I can't be as tin-foil hat as the rest of you, but let me tell you how this affected me.

    My PC at home is used by all my family. We pop in and out of Gmail users 100 times a day. However my browser always stayed logged in as the primary user, which affected how the extensions worked, among other things.

    Recently that all changed and everytime someone would log out of email it would log me out of the browser. (Actually it would say 'Paused' but since you had to log back in to un pause it, it's pretty

  • by Anonymous Coward

    Let's be assholes

  • So which one of my 15 Google ids does it use?

  • "Google, we're not evil. Well, no more than any other company...."
  • "Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly."

    I don't think, relatively speaking, that many of us are Google's customers. Most of us are just food on the menu.

  • Honestly, the logic of this change is pretty reasonable. Mostly it just makes the background behavior more visible.

    Previously, if I had gone onto somebody else's machine and decided to log in to check my e-mail while I was on their machine, and failed to do so in incognito mode, then they could hop onto their machine and look not only at my e-mail, but also my calendar, my Drive, and everything else I have related to Google. There would be nothing in the UI to tell me about this behavior at all.

    Making it

In practice, failures in system development, like unemployment in Russia, happens a lot despite official propaganda to the contrary. -- Paul Licker

Working...