September 24, 2018 // 11:15 a.m.
Google has come under fire from privacy enthusiasts for an ill-documented change to the default behaviour of its Chrome web browser, which sees the browser's own sign-in system inextricably tied to use of Google services such as Gmail and Google Drive.
The launch of Chrome 69 earlier this month, part of Google's 10th birthday celebrations for its hugely successful browser, brought with it a variety of heavily-discussed changes: The browser's new look, revamped password manager, and search improvements were all heavily publicised by Google's Rahul Roy-Chowdhury at the time of the launch, while future changes including better support for augmented reality systems, embedded artificial intelligence, and even the retirement of the uniform resource locator (URL) address format itself up for discussion.
What Roy-Chowdhury and others didn't publicise, however, was a change to the way Chrome handles Google services: Where previous releases had a divide between signing into web-based services like Gmail and Google Drive and signing into the browser itself, the latter being an optional step which allows Google to track your usage for everything from sending tabs to and from different devices to synchronisation of bookmarks and saved passwords, Chrome 69 does away with this distinction and makes signing into any Google service the same as signing into Chrome.
The change has privacy enthusiasts up in arms. 'From my perspective, [the problem] comes down to basically four points,' expatiates cryptographic engineer Matthew Green in a blog post on the topic. 'Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense; this change has enormous implications for user privacy and trust, and Google seems unable to grapple with this; the change makes a hash out of Google’s own privacy policies for Chrome; Google needs to stop treating customer trust like it's a renewable resource, because they're screwing up badly.'
Green quotes unnamed Chrome developers as defending the change, pointing out that while it does mandate signing in to Chrome in order to use any personalised Google services it does not depend upon nor automatically enable data synchronisation with Google's servers. Green also argues, however, that this doesn't matter: The tying together of service and Chrome sign-ins is a 'dark pattern,' he says, arguing - with others - that it serves no good purpose other than to make it easier for users to begin synchronising their data with the company. Google, naturally, wants as much data as possible: Its parent company, Alphabet, is one of the world's biggest advertisers, and it got and remains that way by eking as much value from its users' data as possible.
Google has confirmed it is listening to concerns regarding the new behaviour, announcing that it will provide a toggle to restore the original functionality - whereby site logins and Chrome logins are entirely separate - in Chrome 70. The new behaviour, however, is expected to remain the default.