Users furious as Google secretly forces login in Chrome

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Last week, Google silently changed an important privacy feature in its Chrome browser. But in all the hoo-hah over Chrome 69’s funky new UX, la GOOG (ahem) forgot to mention this radical shift.

Google doesn't even adhere to its own privacy policy now. And some are even accusing it of creating a “dark pattern” (i.e., a UI that tricks users into doing something they didn’t want to do).

And now Google is walking it back, but not a lot. In this week’s Security Blogwatch, are we sleepwalking into telling Google everything?

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Idle philosophy 

State of Security Operations 2018: Go Inside World SOCs

Another insult to privacy

What’s the craic? Alan Martin—Chrome 69 secretly logs you in to Chrome Sync when you visit a Google site:

Whether you log in to Chrome or not has always been your choice. But apparently assuming that anyone [not doing so] hasn't got their fluffy little heads around the idea of passwords, Google is now doing it on your behalf. Without asking, [nor an] update to the privacy policy.

Chrome 69 … is automatically logging people in as soon as they hit a Google-owned site. … That may sound convenient, but people are up in arms.

Google … claims that rather than a sneaky privacy breach, this is actually designed for extra security. [And that] syncing data is an additional step [which] requires opt-in.

Still, at the very least, you could say this has been poorly handled. … Google says it will be updating its privacy policy soon to reflect the changes, but that doesn't quite cut it.

Wait, what? Bálint Szilakszi quips Chrome is a Google Service that happens to include a Browser Engine:

So what changed with Chrome 69? [Now] any time someone … logs into a Google … site, they are also logged into Chrome-as-a-browser with that user account. … Before Chrome 69, Chrome users could decline to be logged into Chrome entirely, skipping the use of Sync and other features that require a login.

Apparently this is intended behaviour. … Multiple Googlers … were wondering why the new behaviour might feel abusive.

Perhaps Google doesn’t want Chrome … to be a neutral platform. [It] ties what’s happening inside the browser to Google on an unprecedented level, throwing the neutrality of Chrome as a platform into question.

Chromium is apparently also affected by this.

Cue an epic slump in Chrome browser share? Here’s why Matthew Green, for one, is done with Chrome:

Due to Chrome’s new user-unfriendly forced login policy, I won’t be using it going forward. … Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.

This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this. … The change makes a hash out of Google’s own privacy policies for Chrome. … Google needs to stop treating customer trust like it’s a renewable resource, because they’re screwing up badly.

For ten years I’ve been asked … by the Chrome browser: “Do you want to log in with your Google account?” And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision.

The Chrome sync UI is a dark pattern. Now that I’m forced to log into Chrome, I’m faced with a brand new menu I’ve never seen before. … Does that big blue button indicate that I’m already synchronizing my data to Google? … Maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident? … This is a dark pattern. … It has the effect of making it easy for people to activate sync without knowing it.

Google’s reputation is hard-earned, and it can be easily lost. Changes like this burn a lot of trust with users.

A dark pattern you say? Lukasz Olejnik inquires:

While some people are finding it problematic and confusing … let’s trust Google Chrome has thought it through well. … Let’s assume the feature is needed.

For some reason, the information about this change is not reflected in the official release notes of Chrome 69, nor in the note lauding the user interface upgrade. The change simply appeared to come out of the blue … without the user knowledge (in advance), awareness, or consent. [It] has been made abruptly, for millions of users.

Furthermore, during testing I was successful at deliberately-inadvertently synchronising my settings to the cloud. … I was unable to click “undo” [but] instead of “Last time synced in 2017” I saw the following: “Last time synced on Today”.

Article 35 of GDPR requires making [a] Data Protection Impact Assessment [which] must be updated when significant changes in the system are introduced. … GDPR says that an infringement in relation to a DPIA requirements are [up] to 2% of the total worldwide annual turnover.

Ouch. Is there a way to stop it? Here’s olsmeister’s masterful suggestion:

Disable it then.

Go to chrome://flags//#account-consistency, switch Account Consistency option to disabled.

Doesn’t exactly sound easy. Google’s Zach Koch is sorry-not-sorry:

We recently made a change to simplify the way Chrome handles sign-in. … Importantly, this allows us to better help users who share a single device.

We’ve heard—and appreciate—your feedback. We’re going to make a few updates in the next release of Chrome.

We’re adding a control that allows users to turn off linking web-based sign-in with browser-based sign-in. … We’re updating our UIs to better communicate a user’s sync state. … In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared. We will change this behavior.

We’re lucky to have users who care as much as you do. Keep the feedback coming.

Please excuse me a moment—there’s a little bit of puke in my mouth. Richard “God” Speed reports Google plans to hide a don't-be-creepy switch in v70: [You’re fired—Ed.]

Chrome 70, due in October, walks back controversial changes in the browser that had the privacy world all aflutter.

Doubtless still hiding behind the [couch] Koch trotted out the earlier excuse that automatically signing a user into Chrome … was absolutely fine. He went further, showing a blown-up image of the browser to, er, demonstrate how clear the signed-in indicator was.

This sounds terrible. But it gets worse: PopeRatzzo claims Chrome now ignores another personal setting:

Just last night Chrome auto-updated itself to 69. I was running an older version for two or three years (had very good reasons to) and had all the auto-update garbage turned off.

This is when I immediately uninstalled Chrome, filled in their "survey" that it automatically takes you to, and installed Firefox. … I won't be going back any time soon.

Time to find a new browser? I hear Firefox is pretty good these days. But Lindsey O'Donnell has bad news—Tricky DoS Attack Crashes Mozilla Firefox:

A newly released proof-of-concept attack using malicious JavaScript can crash or freeze Mozilla Firefox. … A series of browser bugs dubbed Browser Reaper [can] crash Firefox.

Sabri Haddouche [is] the same researcher [who] revealed a … PoC that could cause iOS devices to crash or restart. … And earlier this month, he revealed an attack that freezes Chrome browsers using one line of JavaScript.

Any other options? Vivaldi was founded by Jon von Tetzchner:

Google sadly blocks some competing browsers from using their services, even browsers … based on Chromium. We need to change our identity when visiting many Google services.

Large companies should not … behave this way. … We all know that browser choice is a good thing, even more so than for most other products. The browser is your view into the Internet and we all spend a lot of time there. Healthy competition means product innovation.

It is not trivial to compete with these large corporations, but it is something we enjoy. We fight for our users and for the future of the Internet. That is definitely something worth fighting for.

Meanwhile, this Anonymous Coward might be being slightly sarcastic:

They [Google] monitor everything I do. They keep me safe and warm from all the icky stuff on the web. They know everything I like, and don't like.

The advertising is so great I don't even have to look for anything, they just tell me what I want. I don't keep secrets from mr google, he knows … when and what I eat, when I sleep, where I drive, the friends I keep. They even know my banking and home address.

I keep mr google in my house to talk with me, plays songs for me, pick my TV shows, wakes me up. I am looking forward to when mr google can cook and clean for me too.

I love google, it is my god, the only thing I need and want in life. Please love me back google, I need you.

The moral of the story? Don’t be tempted to hide huge privacy changes behind vapid PR spin—you will be found out.

And finally …

What Monty Python’s Eric Idle Learned from The Beatles’ George Harrison


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Petra “Pezibear” Fischer (cc0)

Topics: Security