Google Secretly Logs Users Into Chrome Whenever They Log Into a Google Site (zdnet.com) 179
Catalin Cimpanu, writing for ZDNet: Starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system -- also known as Sync. This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers. Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.
Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy. That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click. Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers. Well-respected cryptographer Matthew Green was disappointed by the move. In a post, he wrote: [...] In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes down to basically four points:
1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a hash out of Google's own privacy policies for Chrome.
4. Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.
Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy. That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click. Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers. Well-respected cryptographer Matthew Green was disappointed by the move. In a post, he wrote: [...] In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes down to basically four points:
1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a hash out of Google's own privacy policies for Chrome.
4. Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.
two hands (Score:5, Informative)
On the one hand, yeah, blech.
On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?
Re: (Score:2)
Re: (Score:1)
leaving a car on the street with the trunk open is not implicit permission to steal luggage from it. Actually in many jurisdictions stealing in such a situation counts as an aggravation, the opposite of an excuse.
The same goes for google. Even if I don't get out of my way to protect my privacy using technological tools, that's no excuse for them to take advantage.
One of the tenets of western culture for which we hold ourselves in such high esteem is that it's not right for the strong to take advantage of t
Re: (Score:1)
Re: (Score:2, Flamebait)
>vulnerable private property is still private
You clicked Agree.
This fight isn't on legal or even moral grounds anymore. And privacy isn't a binary condition - you're up against ten-thousand services and a million databases, hundreds of different forms of hoover/pipe/fingerprint/metric acquisition.
It's like you're bitching about a specific strain of disease. You wash your hands and avoid rotten food as general defenses, not targeted ones. Even those of us with "special tools" aren't immune, we're only red
Re: (Score:2)
Privacy is and always was an illusion.
The only way to maintain privacy is to withdraw to a cave in the middle of nowhere, and hope that nobody finds you. The only thing we can do is manage the illusion of privacy.
Tied to a platform (Score:5, Interesting)
On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?
Definitely. One of the reasons I don't use or install Chrome even though I do use some Google services. I use Firefox in part because it's the only one of the major browsers to not be owned by a major tech company. Chrome seems to work fine but compared with Firefox it's at more or less a dead heat technically speaking and performance-wise (for my purposes anyway) so why tie myself tighter to Google than absolutely necessary? That's not an argument that Firefox is perfect (it isn't) but it seems to be the least worst option in this regard.
Re: (Score:1)
Re: (Score:3)
I use Firefox in part because it's the only one of the major browsers to not be owned by a major tech company
You could use Chromium or Vivaldi and be even less corporate influenced, but still chrome compatible.
Why I use Firefox (Score:3)
You could use Chromium or Vivaldi and be even less corporate influenced, but still chrome compatible.
Maybe but I don't care at all about compatibility with Chrome and don't see any particular value in that. I want a web browser that works on the sites I visit, is cross platform, has strong privacy controls, is actively developed, and isn't a security train wreck. Edge and Safari are out for me since they are one platform only and one company only. I don't really trust the various forked browsers related to Chrome and Firefox and other "minor" browsers to remain viable and supported long term though I'm
Multiple funding streams (Score:2)
Over the years, Google has paid Mozilla in excess of $2 Billion. If you don't think Google "owns" Mozilla, you are delusional.
And they've also received upwards of a billion from Yahoo who last I checked was decidedly not owned by Google. I'm aware of the funding but the difference is that Mozilla can and does get funding from other sources. So my choices are 100% Google owned (Chrome) or something less than 100% Google financed (Firefox). I'll take the later option thanks. Mozilla is it's own entity and that counts for something even if it isn't as much as one would hope.
Re: (Score:2)
When you use Google to search for something, are you not providing Google data regarding what is on your mind? When you click one of their search results, are you not providing Google data?
You can change your search provider, or choose not to have search suggestions at all. That's what I do in all my Firefox installs.
Why does Firefox fail to have ad blocking technology built-in by default?
I don't think it's the proper role for Firefox to be doing that. It's good enough that we can block ads through plugins.
Re: (Score:1)
On the other hand, did you really think Google weren't tracking the #%#%$% out of you whenever you logged into anything?
No, we are well aware that Google tracks folks across the Internet and is able to track even more when we log in to use their services. This is why we choose not to log in to their services across the board.
Now some of us must log into Google at some point. For example, my employer uses Gmail as their mail provider and so on occasion when Thunderbird absolutely can not do what I want (e.g., Block a specific sender), I must log into Gmail through its web interface. If Google is going to start treating tha
Re: (Score:1)
Re: (Score:1)
Slow as fuck, hangs the work computer for 20 seconds at a time. I'm sure it's the antivirus being antivirus, but I don't have time for that to happen 20-50 times a day.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
This used to happen with previous versions of Firefox = 56, specifically due to XUL.
I'm not sure if it happens now; but I also encountered it with some machines which have Kaspersky antivirus installed, because most anti-virus products inject their addon into Firefox (which would cause strange cpu-usage). And sadly, there doesn't appear to be an easy way to disable it except perhaps through some obscure setting in the AV.
Not news (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
I actaully prefer the developer tools on FireFox.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re:Not news (Score:5, Interesting)
Fun fact, Chrome for Android sends the fine details of the device you're using in the user agent string, down to the device model, and as far as I can tell there's nothing you can do about this other than not using Chrome for Android.
Re: (Score:1)
Re: (Score:2)
Why are you surprised? You should assume that when using chrome any website you touch is reported back to google, including page links you hit, something they're extremely interested in.
Do you know what a user agent string is?
The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.
https://developer.mozilla.org/... [mozilla.org]
Sheesh. FUD much?
Re: (Score:2)
FUD much yourself?
Well, since I never claimed anything about that, and it isn't even what we are talking about... no, I don't. I guess when you have no point any longer you try to change the topic? But anyway, that does sound like a very serious issue.
P.S., did you know that any Android app on your Android phone can know the model, manufacturer, and version number of the OS you are running?
https://developer.android.com/... [android.com]
Imagine all those Android apps harvesting your device and using that for [fill in evil plan here]. Sends
Re: (Score:2)
Language hard! Let me give you a timeline:
1. You made a misinformed comment about the nature and purpose of the UA header.
2. I called you out.
3. You responded with nothing other than a completely different complaint that Chrome mobile doesn't allow you to change the UA header
4. I called you out for changing the topic, and pointed out that you are misinformed about your new argument in (3) also.
5. Now, you call me out for... calling you out on the topic WHICH YOU changed to in (3)? Dude, you changed the topi
Re: (Score:2)
Fun fact, Chrome for Android sends the fine details of the device you're using in the user agent string, down to the device model
So what. The Android version and device type are things that might actually be helpful to a service when rendering a page. You know, the whole point of the UA.
Re: (Score:2)
Strongly disagree, neither should be relevant to anything sent over a webpage, which runs in an OS-independent and largely hardware-independent web browser. It is traditional for the UA to include a rough OS version, although the OS should be completely irrelevant to web contant, but Chrome doubles down and delivers unnecessarily detailed information, down to minor OS revision. Sending the exact model of the device takes this lunacy to the greatest extreme possible short of sending hardware serials, how wou
Re: (Score:2)
how would you defend this pointless privacy violation?
You do realize the UA is sent to the requested website, not to Google, right? I guess Google could be sending the same information to themselves, but the existence of the Android version in the UA isn't your smoking gun, sorry.
But anyway, I guess you are going to need to explain how it's a privacy violation for sites I visit to know what sort of mobile device I use. The website already knows the OS, version of the OS, browser vendor, browser version, rendering engine, rendering engine version. That's in eve
Re: (Score:2)
The truth is that most people don't care about their personal data going to Google.
And thanks to the bunch of clowns directing Firefox, Chrome came out as the better browser overall, so people use it.
Re: (Score:2)
Re: (Score:2)
But I don't use Chrome (Score:5, Funny)
So how does that work
Huh? (Score:5, Insightful)
What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.
Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone. This death by a thousand cuts is so last decade.
Re: (Score:2)
Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone.
They don't want to wake the sheeple.
Re:Huh? (Score:5, Interesting)
What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.
Profiles address the issue, but the problem they're trying to address for users who don't use profiles is pretty clear. Jane is using the computer and has logged the browser in to her Google account, and has sync and web history enabled. Dick uses the computer and logs into his gmail account, then does does some browsing, thinking the browser is logged into his account, which has web history disabled. His browser use gets logged in Jane's web history, violating Dick's privacy in two ways: He didn't want his browsing logged at all, and depending on the relationship between Dick and Jane and and what exactly he browsed, may really not want it logged to Jane's account, where she can see it (though if this is the situation, he's an idiot for using a shared browser and not opening an incognito window, because local browser history is a thing).
Perhaps even worse, I said that Jane has sync enabled, which can include password sync. So Dick may inadvertently give Jane his passwords this way, too.
My bet (though I don't have any particular knowledge about it) is that this is not a theoretical scenario, that it has actually screwed a number of people which is why it came to the Chrome team's attention.
Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.
Re:Huh? (Score:5, Informative)
Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.
Here's a better analysis, by an engineer on the Edge browser team: https://textslashplain.com/201... [textslashplain.com]
Re: (Score:2)
Both swilden's explanation and your link make perfect sense. Which makes me wonder why Matthew Green said this:
> 1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they've given don't make any sense.
Odd.
Confirmation bias at work, I think. Everyone is vulnerable to it, even brilliant guys like Matthew Green.
Re: (Score:2)
Making browser login track the login Google apps is an obvious solution to this problem. Perhaps there's a better one, though.
How about: when the user logs into a google account that is different than that which is signed into Chrome, put up a dialog noting this and offering to sign out of Chrome. AFAIK this covers every case that I'm imagining the chrome devs might be "concerned" about, and is very up front rather than being silent and behind peoples' backs.
Re: (Score:2)
You describe a contrived scenario that doesn't need to happen at all, much less require logging in to Chrome itself to resolve it. Fuck that noise.
Re: (Score:2)
Re: (Score:2)
What does that have to do with anything? If it's a shared computer each person would have to log into their own account. More than likely under their own profile.
It has to do with giving an implausibly plausible justification.
Why doesn't Google just come out and say it. They're sucking up every bit of your information to sell to someone. This death by a thousand cuts is so last decade.
Are you mad? Google can't say that!
Disable it then. (Score:5, Informative)
Re:Disable it then. (Score:5, Insightful)
Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.
And how do you know that works?
Because Google's software said so?
"Yep! We pinkie-promise that we're not snooping on you now!"
Re: (Score:3)
I know that Chrome respects cookie settings, so that when cookies are not permitted for *.google.com - they are not being stored or sent (this is verifiable with a variety of tools).
In my case, that's the setting I've been using. No cookies, no login into any Google account.
Re: (Score:2)
Re: (Score:2)
That's why you don't use cookies blacklist—you use cookies whitelist; no cookies allowed for anybody without your explicit permission (and you can give permission in a way cookies get wiped out in browser re-start).
Re: (Score:2)
On a related note, can anyone recommend a good lightweight XMPP chat client for Android?
Re: (Score:2)
The burden hasn't shifted at all. It was clear from the begiining that Chrome was made for Google and not for its users. The only reason it's a good browser is to get people to use it so Google gets more data.
Re: (Score:2)
Re: (Score:1)
https://play.google.com/store/... [google.com]
Re: (Score:2)
Here's a good start:
https://staging.f-droid.org/se... [f-droid.org]
Re: (Score:2)
Re: (Score:2)
Better yet: change browser. If a piece of software tries to screw the users over, users shouldn't have to find a way around it: they should junk it. That's what that software deserves.
OTOH, users shouldn't be expected to keep up with all the news about how their software is trying to screw them, because that would be like a full-time job these days. So let's avoid blaming the victims, which is always a popular sport on Slashdot. Google is at blame here, not the users who weren't so computer-savvy as to disa
Re: (Score:1)
Better yet: change browser. If a piece of software tries to screw the users over, users shouldn't have to find a way around it: they should junk it. That's what that software deserves.
OTOH, users shouldn't be expected to keep up with all the news about how their software is trying to screw them, because that would be like a full-time job these days. So let's avoid blaming the victims
Why? Why should we stop blaming people who only eat at McDonalds and supersize everything for being obese? That Google has been a data vacuum since 2005 is obvious and anyone who trusts them regarding privacy since then is an idiot. Google is in business to do one thing: sell advertising.
Re: (Score:3)
Even if this works - the default should *always* be safety and privacy. Not spying. It seems most companies have willfully forgotten this.
For giggles, have a look at the GDPR notifications you get at different places. E.g. at engadget, I earlier today got presented with this. You get information on the cookies etc. they set/collect, and supposedly you should be able to modify settings... no, nope... you accept things the way they are or quit the page... which I did. No, I don't want any of that shit. If you
Re: (Score:2)
I'm going to have to try this. I wonder if it will prevent the 'logging out' or 'pausing' of the primary browser account when someone logs out of a GMail session. It's been causing me headaches.
Chromium (Score:1)
I wonder if this applies to Chromium also.
Re: Chromium (Score:1)
According to a reddit post, it does
The new Microsoft (Score:4, Interesting)
Re: (Score:1, Interesting)
Google is rapidly becoming the new Microsoft. No wonder they ditched the "Don't Be Evil" motto.
Well, of course they had to ditch that goal, having surpassed it.
Being merely evil is beneath Google now. They're aiming for bigger things.
You know, like colluding with with totalitarian governments.
Nothing new (Score:4, Insightful)
Google is rapidly becoming the new Microsoft. No wonder they ditched the "Don't Be Evil" motto.
Honestly I think Facebook wins the current edition of the Evil Olympics among tech companies. But maybe Google is just a sneakier player and unfortunately the two of them combined are really hard to avoid if you give half a shit about your privacy. I don't have a Facebook account but I'd be truly shocked if they don't maintain some sort of profile about my activities on the web. I block what I can but it's hard to stop them entirely.
Any company in a position of power is likely to abuse that power to some degree. IBM did, Microsoft did, and the list goes on. Trust them at your peril.
Re: (Score:2)
FB is a clumsy toddler in evilness compared to Google.
Whose the bigger evil? (Score:2)
FB is a clumsy toddler in evilness compared to Google.
Perhaps. Facebook is definitely more blatant about their evil. Google is harder to avoid. Both companies have WAY too few restrictions on what they can do with data about basically everyone.
Re: (Score:2)
Honestly I think Facebook wins the current edition of the Evil Olympics among tech companies. But maybe Google is just a sneakier player and unfortunately the two of them combined are really hard to avoid if you give half a shit about your privacy.
Ummm... with Windows 10, Microsoft jumped squarely ahead of everyone in the Evil department. Neither Google nor Facebook have surveillance and control quite as unavoidable as Microsoft.
While I use Linux pretty much exclusively at home, at work, I constantly find new ways that Microsoft exfiltrates information. Yes, I am a "Security Engineer".
Microsoft doesn't sell my data (Score:3)
In a post he wrote (Score:2)
"In the rest of this post, Iâ(TM)m going to talk about why this matters. "
What he actually posted was:
"In the rest of this post, I’m going to talk about why this matters."
Re: (Score:2)
Wait, Slashdot can handle nicod now? Why is it still so roken? \_()_/
P.S. Preview still looks broken, so maybe this won't go through.
Noticed this and now only use chrome. (Score:2)
To watch netflix and amazon. I downloaded palemoon and use it for basic web access. Google has grown to large to keep from becoming 'evil'.
Google has basically stopped caring. (Score:3)
Now, as long as it makes them a buck and increases their huge cache of customer info, there's pretty much nothing they won't sink to.
Distrust of them is why I've avoided Chrome.
Sync? (Score:2)
Use Firefox (Score:1)
and don't sign up for Mozilla Sync either. Many of the plugins for Chrome now work in, or have versions for, Firefox because the plugin engine is similar. If you avoid Mozilla's sync they won't get much of your personal information.
Authentication == Non Privacy (Score:1)
This is why I use FireFox (Score:4, Interesting)
Wait... Chrome didn't always do this? I just assumed, from the first day I saw a coworker "log in" to the browser (a concept that made no sense to me at all) it was just a way to automatically log you in to Google's services. Today, I have to use it because developers around me make web apps that only work on Chrome! It's becoming like the IE fiasco from the early 2000's all over again.
Chrome exists solely for the purpose of furthering Google's marketing efforts. While everyone is vilifying Apple and Microsoft, Google has quietly obtained control of the OS (Android), the browser (Chrome), search (Google), advertising (Adsense), and the web (Amp). The biggest advertiser on the planet has your phone numbers, your texts, your emails, recordings of your voice, ...
Google didn't create Chrome because they needed a browser, or they wanted to optimize JavaScript, or they needed a debugger. They wanted client-side control of your machine, and it took a browser and an OS to do that.
Geeks need to go back to Firefox. It isn't made by an OS vendor or an advertising agency, it doesn't snoop on you, and it is completely open source.
Re: (Score:1)
Geeks need to go back to Firefox. It isn't made by an OS vendor or an advertising agency, it doesn't snoop on you, and it is completely open source.
I was a big fan of Firefox until they quit focusing on geek things and started focusing on PC culture wars. When a person's politics trumps their qualifications the organization is dead to me. Brave on the other hand is a great browser that is also open source.
Re: (Score:1)
Just wait for the revelation that shows the true size of Google's ocean of data. I expect that what we've been told or what most people have even imagined is not even close to the true magnitude. We exist in a world of identification numbers everywhere you go (card numbers, RFID tags, Wifi access point MAC, bluetooth device ID, web browser cookies, and on and on). The possibilities of correlation of all this data are staggering.
Re: (Score:1)
The reverse is happening of what you think:
- User explicitly uses Chrome without logging in to Google (in the privacy policy, this actually means they slurp less information from you)
- User logs into some Google web property
- Chrome silently logs into that Google account without prompting
Logs you out as well (Score:2)
Sorry I can't be as tin-foil hat as the rest of you, but let me tell you how this affected me.
My PC at home is used by all my family. We pop in and out of Gmail users 100 times a day. However my browser always stayed logged in as the primary user, which affected how the extensions worked, among other things.
Recently that all changed and everytime someone would log out of email it would log me out of the browser. (Actually it would say 'Paused' but since you had to log back in to un pause it, it's pretty
New Google moto (Score:1)
Let's be assholes
Yet another reason I'll never use Chrome (Score:2)
eally? (Score:2)
So which one of my 15 Google ids does it use?
Google's New Motto (Score:2)
Customer? (Score:2)
"Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly."
I don't think, relatively speaking, that many of us are Google's customers. Most of us are just food on the menu.
Epically Bad Communication (Score:2)
Honestly, the logic of this change is pretty reasonable. Mostly it just makes the background behavior more visible.
Previously, if I had gone onto somebody else's machine and decided to log in to check my e-mail while I was on their machine, and failed to do so in incognito mode, then they could hop onto their machine and look not only at my e-mail, but also my calendar, my Drive, and everything else I have related to Google. There would be nothing in the UI to tell me about this behavior at all.
Making it
Re: (Score:2)
While this is really annoying, fortunately it doesn't synchronize anything by default. It just logs you in but you have to manually enable syncing.
Also, dude, porn is what you have that secondary Firefox installation for.
Re: (Score:1)
I See What You Did There...
Re: (Score:2)
Or better yet, stop bookmarking porn pages. Just commit it to memory.
Re:So.... (Score:4, Insightful)
This is when I immediately uninstalled Chrome, filled in their "survey" that it automatically takes you to, and installed Firefox. I was very pleased to see that Firefox gives you the option off the bat to use an address bar as an address bar. There's nothing like a bait and switch "feature" hijacking all your address data, phoning home under the guise of offering lame suggestions, and performing a search if you mistyped and didn't get a FQDN right.
I won't be going back any time soon.
Google: Be Evil. (TM)
Re: (Score:2)
... and installed Firefox.
Now you have a bunch of new stuff to disable ... :-)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I assume Brave only lets you watch straight porn? :-P
Re: (Score:2)
I assume Brave only lets you watch straight porn? :-P
I see what you did there.
Re: (Score:2)
Brave.
LOL.
Useless crap on the same level as Edge.
I was on their support forum and couldn't believe the stupidity of the devs there.
I asked how I can move the browser cache to a different location. Can't do it. Moron developers keep asking why I want to do that.
Well, in addition to wanting the cache on a RAM disk instead of on my SSD, how about the fact that every browser, INCLUDING FUCKING INTERNET EXPLORER let's you easily move the browser cache to any location you want.
The *ONLY* browsers that don't le
Re: (Score:2)
I assume it logs out when you log out of gmail, too, no?