Starting with Chrome 69, logging into a Google Site is tied to logging into Chrome.

[steven36]

Chrome is a Google Service that happens to include a Browser Engine

 

 

 

Starting with Chrome 69, logging into a Google Site is tied to logging into Chrome.

 

This is typically the topic where things are complex enough that tweets or 500 character Mastodon toots don’t do it justice. I’d also mention that I prefer to avoid directly linking people’s posts on this, because I dislike the practice of taking discussions out of their original audience and treating them as official or semi-official communications from a given company.

 

So what changed with Chrome 69? From that version, any time someone using Chrome logs into a Google service or site, they are also logged into Chrome-as-a-browser with that user account. Any time someone logs out of a Google service, they are also logged out of the browser. Before Chrome 69, Chrome users could decline to be logged into Chrome entirely, skipping the use of Sync and other features that are tied to the login and they could use Chrome in a logged-out state while still making use of GMail for example.

 

Just to spell it out: this means Google logins for Chrome are now de-facto mandatory if you ever login to a Google site.

 

When someone in the security community raised this, it turned out that apparently this is intended behaviour from Google’s side as confirmed by multiple googlers and they were wondering why the new behaviour might feel abusive to some people. Some folks working on Chrome pointed out that most people can’t differentiate between logging into a Google Site and logging into Chrome and this has lead to problems with shared computers, where person A logs into GMail, but person B is logged into Chrome. This prompted Chrome developers to come up with the change that erases the distinction entirely.

 

It is at this point that I should note that I don’t personally use Chrome, as I felt it was too closely corporate Google even before this change. This is also not a post arguing that “some users can tell the difference, therefor…”, I do believe software should be written with the common users in mind. Interestingly, the common user belief that strongly equates Chrome with a Google Service (and not an application or tool) is probably the more accurate view of Chrome, post release 69. It’s worth wondering from where users got that impression and why.

 

So if this change is just about bringing Chrome in line with what most users believe anyway, what’s the fuss? Perhaps it’s not about what people believe, but what is right. Perhaps Google doesn’t want Chrome, currently having majority browser market share, to be a neutral platform. A lot of people, developers especially, believe that Chrome is a Google-influenced but more or less neutral tool and then this widespread belief has to be reconciled with the Chrome-as-a-service thinking.

 

Violating the content vs browser separation layer doesn’t just conform to what a lot of users believe, it also ties what’s happening inside the browser to Google on an unprecedented level, throwing the neutrality of Chrome as a platform into question. What’s the next thing that Google and only Google can make Chrome do? Concerned about shared computers but you’re not Google? There is no neutral API to log someone out from Chrome and prevent data from being synced if it’s about person A logging into Facebook in person B’s Chrome profile.

 

Sidenote: Most Google services have for me this in common with Facebook: these services are too deeply integrated and impossible to use in part or isolation. It’s either the entire system or nothing, based on how the question of consent is approached. You would like to use GMail (logged in obviously) but Google search, Youtube, Chrome etc without a login? No can do. You selected strict settings in Facebook for your profile data? You’re just an API/permission redesign away from having your choices nullified. Part of me feels that this Chrome shared computer issue that Googlers mentioned is real, but it’s also just too convenient to solve this by tieing Chrome closer to Google, you know?

 

update:
- Compare the basic (local) and signed-in mode in Google Chrome’s privacy policy. Silently upgrading from basic mode to signed-in mode makes quite a large difference.
- Chromium is apparently also affected by this.
- There is a workaround to disable this behaviour. I deliberately don’t include it here, as that relies on internal flags and the point of this post wasn’t to try to revert this change, but rather to think about Chrome’s direction in general.

 

Source

[SQBI]

Solution for unsatisfied ones: type and enter chrome://flags in the chrome's address bar. Then, search for 'Identity consistency between browser and cookie jar' and set its value to 'disabled'.

[mkc21]

I wonder if it'll still work with chromium

[SQBI]

This method is working well in Chromium - verified by me

[steven36]

Google secretly logs users into Chrome whenever they log into a Google site

 

Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

 

Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.

According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system --also known as Sync.

 

This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers.

 

Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

 

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy.

 

That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click.

 

 

Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

 

When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person's Google account.

 

But despite this clearly logical decision behind this move, users are still angry. First and foremost, they are angry because they don't have this ability to decide when they log into their browser, and second, they are angry because Google had failed to tell them about this new move.

 

Google Chrome 69 was released on September 5, more than two weeks ago, and if you haven't been probing the depths of Twitter, Mastodon, or Hacker News, you wouldn't have known of this change in Chrome's behavior.

 

Almost all users who never used Chrome's Sync feature before might find it surprising that they are logged into Chrome right now, as they read this article, if they've also logged into a Google account somewhere on Gmail, YouTube, or any other service.

 

But the criticism doesn't stop here. Matthew Green, a well-known cryptography expert and professor at Johns Hopkins University, pointed out in a blog post today that Google has also redesigned the Sync account interface in a way that it is not clear anymore to users when they are logged in or what button they should push to start syncing.

 

He calls this change a "dark pattern," a term used to describe user interfaces that have been intentionally designed to be misleading.

 

In its current form, the Sync interface is indeed misleading, and a user might be one wrong click away from giving all their browser data to Google by accident.

 

But some also suggested that Google's move might have been planned well in advance. Chrome 69 was a major release for Google, coming with many new features, including a new user interface.

Some claim that Google hid this new change in the Chrome 69 release, hoping that nobody would spot it among all the goodies the company added to its browser, hence, the reason why it did take over two weeks for Google aficionados to spot the update.

 

Green's social media clout, along with some heated Twitter conversations, did manage to push things at Google's HQ, and Chrome engineers have told Green that Google will clarify Chrome's Privacy Policy to reflect Chrome's new mode of operation.

 

Though this policy update may satisfy some lawyers in Google's cozy offices, this does not address the issue that Google has modified a Chrome feature without telling users, and that modification might lead to serious privacy breaches.

 

Microsoft has suffered a major reputational blow due to its initially hidden Windows 10 telemetry practices, and so has Facebook in the recent Cambridge Analytica scandal. Twitter is also known to be flooded with bots, fake news, and political influence campaigns, and Reddit is a home for communities dedicated to abuse, harassment, and physical threats.

 

Through the years, Google has managed to keep a shiny reputation, despite being known to be the biggest data hoarder around. It's usually shady behavior and small things like these that bring down a company's reputation. Oh, wait!

 

Source

[nir]

Disable Google Chrome Sign In and Sync

 

As you might have heard, Chrome 69 automatically logs you into the browser when you log into any Google property. As much as I might like Chrome (and Google), I was quite displeased by this particular change: I assume it was in the release notes (that probably a vanishingly small number of Chrome users read), but the rationale that's been given for the change doesn't really make sense, and in any case I really prefer not to have anything synced anywhere. It definitely (for me at least) violated the principle of least astonishment: I can't speak for anyone else but I personally don't expect a routine software upgrade to suddenly start uploading passwords somewhere, or copying my passwords onto any random computer I happen to log into.

 

As noted in the first article above, the Sync enabled/disabled UI was singularly confusing to me as to what the state of things are, and a careful search (well, about 1 minute) through the Chrome settings pages didn't really shed much more light on exactly how I could guarantee no data gets inadvertently synced. I set out to figure out how I could keep using Chrome but still feel relatively comfortable that Chrome Sync wasn't helpfully distributing my data. After a couple of hours running around I finally got it together thanks to https://www.chromium.org/administrators/policy-list-3.

 

For OSX, open a terminal window and run:

defaults write com.google.Chrome SyncDisabled -bool true
defaults write com.google.Chrome RestrictSigninToPattern -string ".*@example.com"

The first line will disable the Chrome Sync functionality, ensuring nothing gets uploaded to Chrome Sync. The second line will only allow users with example.com email addresses to sign into Chrome: since NO one has an example.com email address that will allow them to log into Google, no one can sign into the browser. Those 2 lines returned my browser bar to its original state: I can log into Gmail without the browser location bar showing my account icon.

 

To get it done on Windows (with or without an Active Domain computer login account), you can use a registry file.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome]
"SyncDisabled"=dword:00000001
"RestrictSigninToPattern"=".*@example.com"

Save the above text to a file disablesync.reg, and double click it (or run reg import disablesync.reg at a command line).

 

As of Chrome 69, this works. Given the way this transition occurred there is no guarantee that future versions of Chrome will continue to work the same way, but given that Chrome's Enterprise offering probably needs to support restrictions of this kind I'm assuming something similar will continue to be supported.

 

Source

[Kalju]

Similar

 

[nir]

Thanks, @Kalju,  Merge it appropriately, please.

[RadioActive]

Topics merged.

[DKT27]

I wonder if it affects Android versions too.

 

They need to give option to disable this.

[nir]

Google Chrome Secretly Logs Users Activity On Google Sites

 

The launch of Google Chrome 69 kept everyone enthralled with a trail of reports for some new features. In one instance, it facilitated users by introducing the random password generator. Whereas, on the other hand, it infuriated many people by announcing the removal of ‘www’ and ‘m’ subdomains from the URL.

 

Nonetheless, the decision was withdrawn in this version due to outrage from users. We now have a report about another nasty feature in this Chrome version. Reportedly, Google Chrome secretly logs your activity whenever you visit a Google website.

Google Chrome Secretly Logs User Activities With “Chrome Sync”

Many of you might have already switched to the latest Chrome 69 browser. While exploring the features, you may not have noticed a new option that remained unannounced. Nonetheless, through this particular option, Google Chrome secretly logs users’ activities upon visiting a Google website.

 

Known as “Chrome Sync”, the tool utilises an auto-login mechanism for users. Hence, anyone browsing through a Google-owned website after logging-in (for instance, Gmail) would instantly be syncing their browsing details to Google.

 

What’s more problematic for many users is that Google simply logs the browser to your Google account without prior notice. It means you will get no intimation when Google starts syncing your browser.

 

Regarding why Google made this change, a Chrome engineer said in their tweet. [...]

 

Read the full article at the source.

 

Source