Chrome 69’s Sync Controversy, Unacceptable as per World Renowned Cryptographer
Google is in the middle of a non-disclosure controversy with how Chrome 69 changed the behavior of the Chrome Sync feature. Prior to Chrome 69, logging-in to a Google account in a google site like Gmail or Youtube has no effect on Sync. But with the most recent version update, simply logging in to Gmail or Youtube automatically logs the user on in Chrome Sync as well. Chrome Sync is a browser feature that synchronized history, bookmarks, cache and other browser data to the cloud for ease of use and convenience. However, even with Chrome Sync existing for many years, not everyone is taking advantage of such a feature due to privacy concerns.
With the change initiated by Chrome 69, the automatic login to Chrome Sync everything a Google account enters a Google-owned online service exposes unsuspecting users to privacy concerns without them realizing it is happening. Matthew Green, a popular cryptographer has publicly announced his abandonment of Chrome for a different browser due to the issue.
“Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this. The change makes a hash out of Google’s own privacy policies for Chrome. Google needs to stop treating customer trust like it’s a renewable resource because they’re screwing up badly,” explained Green.
Google on their part, through the Engineer and Manager, Adrienne Porter Felt tried to calm people down via the Twitter post below:
Adrienne Porter FeltVerified account @__apf__
Replying to @getchepi @matthew_d_green
Sync is not turned on unless you later turn it on.
Adrienne Porter FeltVerified account @__apf__
Hi all, I want to share more info about recent changes to Chrome sign-in. Chrome desktop now tells you that you’re “signed in” whenever you’re signed in to a Google website. This does NOT mean that Chrome is automatically sending your browsing history to your Google account! 1/
Adrienne Porter FeltVerified account @__apf__ 9h9 hours ago
To reiterate, signing in does NOT turn on Chrome Sync. The Chrome Help Center https://support.google.com/chrome/answer/185277?co=GENIE.Platform%3DDesktop&hl=en … and Chrome White Paper https://www.google.com/chrome/privacy/whitepaper.html … have up-to-date details about this change. My colleagues are updating the Chrome privacy notice ASAP to make this more clear 6/6
Green refuted Google’s claim of this issue not being a big deal. “But note something critical about this scenario. In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place. So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in? I could waste a lot more ink wondering about the mismatch between the stated “problem” and the “fix”, but I won’t bother: because nobody on the public-facing side of the Chrome team has been able to offer an explanation that squares this circle.”
For Green, Chrome team’s justification is not valid. He holds onto his belief that the new autologin to Sync feature for Chrome 69 puts users into a privacy risk they don’t deserve. “For ten years I’ve been asked a single question by the Chrome browser: “Do you want to log in with your Google account?” And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision. The Chrome developers want me to believe that this is fine, since (phew!) I’m still protected by one additional consent guardrail. The fact of the matter is that I’d never even heard of Chrome’s “sync” option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I’m forced to learn these new terms and hope that the Chrome team keeps promises to keep all of my data local as the barriers between “signed in” and “not signed in” are gradually eroded away.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.