Monday, September 25th 2017

Chrome 69 Adds Forced Login, Threatens Privacy: How to Fix it

There was a time when Chrome users could be safe and think that what they did in Google Services (Gmail, YouTube, Maps, etc) was separated from their actions in the browser. One thing wasn't necessarily tied to the other, but now things have changed - and without any public disclosure from Google.

Starting with the recently published Chrome 69, if you use this version of Chrome and log into any Google service or site, you will be automatically and magically logged into Chrome with that user account. A systems architect called Bálint disclosed a problem that changes Chrome behavior in a way that could potentially harm user's privacy.
Before Chrome 69, the sign-in into the browser was optional, and it allowed you to have your cookies, history or bookmarks across all the devices on which you used Chrome. It was convenient for many people, but the user had to actually enable it with two steps: logging into Chrome, and then enabling Google Sync in the second place. Even if you were logged into Gmail, you could be using Chrome without being logged at all in the browser (or logged into it with a different user's account, for that matter).

That was the problem according to Google engineers, who have claimed the change in Chrome 69 is due to "consistency" problems. Adrienne Porter Felt, engineer & manager in Google Chrome, tweeted about this and explained that her team made this change "to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device".

The change has made a lot of people angry, though. As Bálint pointed out on his analysis, the problem lies with doing things right, and taking away that option from the user has ignited the debate on privacy. Even with Google's best intentions, the change has been seen as the latest threat on a long list of threats Google has made to their user's privacy.

Matthew Green, a cryptographer and professor at Johns Hopkins University, was even more critical about the problem when he wrote "Why I'm done with Chrome". He questioned Google rationale "for why this change was necessary", and criticized the "enormous implications for user privacy and trust" this change has.

Google engineers insist: Sync doesn't automatically turn on with the auto login, so for them the privacy problem is not that big. The problem according to Green is that user consent matters, and for many critics of the change, this is the real threat for a decision that was made to take away user consent and potentially help Google to collect more and more data.
In fact, there's even more to the story: the CTO and co-founder of ContentPass, Christoph Tavan, discovered how when the user makes Chrome clear all cookies, the browser deletes all... except from Google cookies.

Fortunately, users can disable this forced login policy. To do so, you must use Google Chrome flags and change one of the parameters to avoid problems.
The steps are the following:

1. Go to "chrome://flags/#account-consistency"
2. That will show the flag 'Identity consistency between browser and cookie jar' select "Disabled" from the drop-down menu
3. Click on "Relaunch now"

After that, you will be able to keep the old Chrome behavior, and logging into Google services and sites won't log you into Chrome.

Update (09/26/18): Google has announced a series of changes in Chrome 70 to address these issues. A blog post by one of Chrome product managers explains how the next version of Chrome will introduce controls to disable Chrome sign-in, for example. The "Delete All Cookies" option will take care of Google auth cookies too in order to remove then. Finally, they will update their UI to "better communicate a user's sync state". Source: Bálint's extended musings
Add your own comment

46 Comments on Chrome 69 Adds Forced Login, Threatens Privacy: How to Fix it

#1
Darmok N Jalad
Google engineers insist: Sync doesn't automatically turn on with the auto login, so for them the privacy problem is not that big.
“The privacy problem” has never been seen as a big deal for Google. They just like to get sued by the EU, I guess.
Posted on Reply
#2
Shamalamadingdong
Isn't the headline false if Google denies the allegations and explains why it appears you're automatically logged in? Yet the headline is written to make people click only to find out it isn't so cut and dry...
Posted on Reply
#3
Vayra86
Privacy isn't a feature, its a bug :nutkick:
Posted on Reply
#4
ZhangirDuyseke
Sheesh. People care about privacy like they are the most important people in the world! First of all there is no privacy on the Internet, second, what makes you think that one of the biggest tech companies in the world like Google is interested in miserable and worthless works like you?! Or maybe you care about it because you are cybercriminals, terrorists or you sell drugs?
Posted on Reply
#5
Vayra86
ZhangirDuyseke said:
Sheesh. People care about privacy like they are the most important people in the world! First of all there is no privacy on the Internet, second, what makes you think that one of the biggest tech companies in the world like Google is interested in miserable and worthless works like you?! Or maybe you care about it because you are cybercriminals, terrorists or you sell drugs?
https://www.theguardian.com/technology/2015/may/07/surveillance-privacy-philosophy-data-internet-things

https://plato.stanford.edu/entries/privacy/

Have fun. You might learn a thing or two about life. Its not even a discussion really, just get educated.
Posted on Reply
#7
Easy Rhino
Linux Advocate
I don't have a problem with forced login. I have a problem with Google making the change without some sort of user acknowledgment. I really wish years ago I never used gmail. I should have went with something like ProtonMail that was private and unaffiliated with an ad agency...
Posted on Reply
#8
Vayra86
ZhangirDuyseke said:
The first link you shared contained photo of Snowden, the traitor and fool. You get educated. You are nobody to tech companies to spy on you, paranoid.
Well, it only took you two posts to go straight to ignore ;) Well played, sir! When you're done clicking link one, try the second. It doesn't have pictures, so this may get tough.
Posted on Reply
#9
ZhangirDuyseke
Easy Rhino said:
I don't have a problem with forced login. I have a problem with Google making the change without some sort of user acknowledgment. I really wish years ago I never used gmail. I should have went with something like ProtonMail that was private and unaffiliated with an ad agency...
Man, you sound like someone who has something to hide. Gmail is one of the most popular email services if not the most popular in the world. I have no issue with Google collecting my data cause I have nothing to hide. I use there service, they collect data to improve my experience. Fair enough. People ARE hackers, terrorists and pedophiles who care about privacy
Posted on Reply
#10
DeathtoGnomes
Why anyone uses a browser made by a company that sells personal user information for profits is beyond me. Although I didnt know you had to log into a browser (never used it), my distaste for Chrome just increased. Good luck with The Truman Show, owned by Google.
Posted on Reply
#12
DeathtoGnomes
ZhangirDuyseke said:
Man, you sound like someone who has something to hide. Gmail is one of the most popular email services if not the most popular in the world. I have no issue with Google collecting my data cause I have nothing to hide. I use there service, they collect data to improve my experience. Fair enough. People ARE hackers, terrorists and pedophiles who care about privacy
its not about whether you anything to hide or not. I enjoy my privacy, does that mean I have something to hide? Not at all.
So, according to your thinking here, I must be lumped into the "People ARE hackers, terrorists and pedophiles who care about privacy" category. ( i will refrain from flaming now...)

lexluthermiester said:
I have a solution for this problem; Don't use Chrome. Instead use one of the many Chromium based alternatives such as;
The very excellent Iron which also has a portable version;
https://www.srware.net/en/software_srware_iron_download.php
Or Comodo's Dragon;
https://www.comodo.com/home/browsers-toolbars/internet-products.php?track=8992&af=7639
The top of the list for privacy browsers is the Tor Project.

There is also Epic Browser, I am not sure what its based on.
Posted on Reply
#13
ZhangirDuyseke
DeathtoGnomes said:
its not about whether you anything to hide or not. I enjoy my privacy, does that mean I have something to hide? Not at all.
If you enjoy your privacy what the hell are doing on the Internet? There is no privacy! Sites collect cookies, services collect data, even social networks reveal importats and private information about people. There is no privacy on the Internet. You probably use Tor, VPN, and tape you webcam as well, ahahah
Posted on Reply
#14
DeathtoGnomes
ZhangirDuyseke said:
If you enjoy your privacy what the hell are doing on the Internet? There is no privacy! Sites collect cookies, services collect data, even social networks reveal importats and private information about people. There is no privacy on the Internet. You probably use Tor, VPN, and tape you webcam as well, ahahah
ninja posted...
ignorance is bliss eh? obviously you are totally clueless how to protect your privacy and reduce your foot print. But hey, I'm sure no one ever accused you of being intelligent.
Posted on Reply
#15
jsfitz54
Quick, pass the potato chips!
Posted on Reply
#16
ZhangirDuyseke
DeathtoGnomes said:
ninja posted...
ignorance is bliss eh? obviously you are totally clueless how to protect your privacy and reduce your foot print. But hey, I'm sure no ever accused you of being intelligent.
I am realistic unlike you. I understand that I am of no interest to companies, government, FBI or UFO. You care about privacy because you think you are some kind of important person, but you are nobody, nothing. Just an ordinary Joe who has gigantic ego to think that he is someone big.
Posted on Reply
#17
Andromos
Yeah I don't like this, if I sign into Gmail now at work in chrome, then my employer gets my history, bookmarks, etc. from my personal devices
Posted on Reply
#18
diatribe
Andromos said:
Yeah I don't like this, if I sign into Gmail now at work in chrome, then my employer gets my history, bookmarks, etc. from my personal devices
I use a dedicated work account with Chrome at work and my personal account when at home. Just keep the two account separated.
Posted on Reply
#19
lexluthermiester
DeathtoGnomes said:
The top of the list for privacy browsers is the Tor Project.
I was keeping the focus deliberately narrowed to browsers based on Chromium for compatibility with plugins, addons and whatnot.
However, TOR is a good privacy/security focused browser. It requires a user to follow a specific methodology which limits some functionality. Then there's the problem of site and whole countries actively blocking the entire TOR network. This ultimately makes a "standard" browser far more a viable choice.

diatribe said:
I use a dedicated work account with Chrome at work and my personal account when at home. Just keep the two account separated.
Or don't use them outside of work. Other than convenience, there is little reason to login to a browser just to use it. This is an invasion of privacy that goes too far.
Posted on Reply
#20
R-T-B
ZhangirDuyseke said:
Sheesh. People care about privacy like they are the most important people in the world! First of all there is no privacy on the Internet, second, what makes you think that one of the biggest tech companies in the world like Google is interested in miserable and worthless works like you?! Or maybe you care about it because you are cybercriminals, terrorists or you sell drugs?
I care about it for human rights, but thanks for the implication.

ZhangirDuyseke said:
The first link you shared contained photo of Snowden, the traitor and fool. You get educated. You are nobody to tech companies to spy on you, paranoid.
Snowden may be a Traitor in the eyes of the US government, but that does not change the fact his leaks were acurate and confirmed.

ZhangirDuyseke said:
The first link you shared contained photo of Snowden, the traitor and fool. You get educated. You are nobody to tech companies to spy on you, paranoid.
Advertising money is nothing, right? /s

ZhangirDuyseke said:
I am realistic unlike you. I understand that I am of no interest to companies, government, FBI or UFO. You care about privacy because you think you are some kind of important person, but you are nobody, nothing. Just an ordinary Joe who has gigantic ego to think that he is someone big.
The only one acting egotistical here right now is you. Please quit the trollish behavior if you can help it.

ZhangirDuyseke said:
You probably use Tor, VPN, and tape you webcam as well, ahahah
And you probably think TOR doesn't work for privacy, they have tech that can break VPNs, and tape over webcams can be seen through by magic hacks?

Only one of those may be true... I'll give you a kudos if you can guess which one.

Privacy isn't magical if you understand it. Please, step aside. People with some understanding of the tech are talking.

ZhangirDuyseke said:
People ARE hackers, terrorists and pedophiles who care about privacy
Care to PM me your bank info?

Oh, I thought you had nothing to hide?

I am none of the above and would appreciate if you'd stop with the slander.
Posted on Reply
#21
windwhirl
Google could have saved themselves some trouble if they had bothered to add some message explaining all this right into the browser when it launched and adding a configuration choice somewhere visible (Chrome flags are some obscure magic for most people)...

EDIT:
ZhangirDuyseke said:
Sheesh. People care about privacy like they are the most important people in the world! First of all there is no privacy on the Internet, second, what makes you think that one of the biggest tech companies in the world like Google is interested in miserable and worthless works like you?! Or maybe you care about it because you are cybercriminals, terrorists or you sell drugs?
The change discussed here is mostly relevant for people using shared computers (e.g., parents and children sharing one single computer) or for those that do not like Chrome saving certain information. I think that's a legitimate worry.

By the way, welcome to the forums. Should we give you a badge for nearly calling us all criminals from day one? Or for calling us "miserable and worthless works" (I bet you wanted to type worms)?
Posted on Reply
#22
natr0n
Google's going to play a big part in the end times.
Posted on Reply
#24
Basard
natr0n said:
Google's going to play a big part in the end times.
Can't wait. I hope I make it through to the beginning times.
Posted on Reply
#25
Paganstomp
Gawd... hope they dont want my bank account info, too. Oh... wait. That was Facebook.
Posted on Reply
Add your own comment