In Quiet Change, Google Now Automatically Logging Users Into Chrome

The change is a complete departure from Googles previous practice of keeping sign-in for Chrome separate from sign-ins to any Google service.

In a change with potentially worrisome privacy implications, Google has begun to automatically log users in to Chrome whenever they use the browser to sign into Gmail or any other Google service.
The change, introduced quietly with the new Chrome 69 release earlier this month, is a complete departure from Googles previous practice of keeping sign-in for Chrome separate from sign-ins to its other services. Previously, Gmail users concerned about Google collecting their browsing data could use Chrome without necessarily being signed into the browser.
But starting with Chrome 69, the only way users can do that is to not be logged into any Google service at all. Signing into a Google account will automatically sign them into Chrome. Signing out of Chrome will automatically sign users out of their other Google accounts.
In a
blog
Sunday, Matthew Green, a security researcher at Johns Hopkins University, blasted the change as having enormous implications on user privacy and trust. The change makes a hash out of
Google’s own privacy policies
for Chrome, Green noted.
The privacy policies – up until this week, at least – made it very clear that when people are using Chrome in basic browser mode, their data is stored locally, and when they are signed into Chrome, their browsing data is shipped to Google. The implication up to now has been clear, Green said. If you want privacy, dont sign in, he says. But what happens if your browser decides to switch you from one mode to the other, all on its own?
Until Greens post on Sunday, few knew about Googles update. The only indication of the change is that users Google profile pictures or icons now appear in the righthand corner of the browser window when they are logged into a Google account.
In a
Twitter thread
responding to Greens blog post late Sunday night, Google software engineer Adrienne Felt insisted that though Google is now automatically signing people in to Chrome, it does not mean the company is automatically uploading their browsing data as well.
In order for that to happen, users have to take the additional step of turning on a Chrome Sync feature after they are signed in, she said. By syncing, users can access their Chrome browsing histories across all devices. But Sync does not happen automatically when people get signed into Chrome, according to Felt.
She added that Google is updating its privacy notices ASAP to better clarify the implications of its automatic sign-in update for Chrome.
The new feature that automatically signs people into Chrome is called identity consistency between browser and cookie jar. The only reason Google has added the feature is to prevent confusion among people sharing devices, Felt said in tweets that echoed comments made by two Chrome developers to Green. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed in to Chrome, which could cause problems on a shared device, Felt said.
For example, an individual using a computer where another user might have previously signed into Chrome could end up having cookies from his browsing sessions uploaded to the originally signed-in users account, Green said. However, this becomes a potential issue only for users who sign in to Chrome in the first place, he noted.
The problem that the update is supposed to address does not impact users who choose not to log in to Chrome at all. If the problem has to do with signed-in users, it makes little sense for Google to make a change that forces unsigned users to become signed-in users, Green said.
Troublingly, Googles new menu for users signing into Chrome is also so vague that people could easily end up granting consent to sync their browsing data when they, in fact, did not intend to do so, Green said. Where previously users had to put in the effort of entering their credentials to sign in to Chrome, they can now end up consenting to data upload with a single accidental click.
Google also has not made clear what data exactly it will upload when a previously logged-out user logs in to Chrome and turns on the Sync feature. Its not clear whether in this case Google will upload all of the data that was previously stored locally on the users device, Green noted.
Dark Reading has observed an equally confusing message when a user signs out of Gmail these days. The message notes that the user is signed out and that syncing is paused, and then adds: Your bookmarks, history, passwords, and more are no longer being synced to your account but will remain on this device. Sign in to start syncing again.
In her tweets, Felt noted that Chrome data is not being uploaded without a user specifically consenting to syncing it. So it is not clear what other bookmarks or history it is that Google is referring to when it talks about syncing. Google did not respond to Dark Readings request for clarification. In response to a request for comment on Greens concerns, Google pointed to Felts Twitter stream.
Related Content:
Privacy Survey Says: Americans Dont Want to Sell Their Data
Privacy Group: Facebook, Google Policies Break GDPR Laws
4 Benefits of a World with Less Privacy
7 Places Where Privacy and Security Collide

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
In Quiet Change, Google Now Automatically Logging Users Into Chrome