Google secretly logs users into Chrome

[Flash]

Google secretly logs users into Chrome whenever they log into a Google site
Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

By Catalin Cimpanu for Zero Day | September 24, 2018
Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.

According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user's Google identity and log the user into the Chrome in-browser account system --also known as Sync.

This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google's servers.

Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google's servers, data that may be tied to their accounts.

CNET: Google Chrome pushes the web toward HTTPS

Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person's traffic to a specific browser and device with a higher degree of accuracy.

That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google's servers, which will require a user click.

Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.

When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person's Google account.

But despite this clearly logical decision behind this move, users are still angry. First and foremost, they are angry because they don't have this ability to decide when they log into their browser, and second, they are angry because Google had failed to tell them about this new move.

Google Chrome 69 was released on September 5, more than two weeks ago, and if you haven't been probing the depths of Twitter, Mastodon, or Hacker News, you wouldn't have known of this change in Chrome's behavior.

Almost all users who never used Chrome's Sync feature before might find it surprising that they are logged into Chrome right now, as they read this article, if they've also logged into a Google account somewhere on Gmail, YouTube, or any other service.

But the criticism doesn't stop here. Matthew Green, a well-known cryptography expert and professor at Johns Hopkins University, pointed out in a blog post today that Google has also redesigned the Sync account interface in a way that it is not clear anymore to users when they are logged in or what button they should push to start syncing.

He calls this change a "dark pattern," a term used to describe user interfaces that have been intentionally designed to be misleading.

In its current form, the Sync interface is indeed misleading, and a user might be one wrong click away from giving all their browser data to Google by accident.

But some also suggested that Google's move might have been planned well in advance. Chrome 69 was a major release for Google, coming with many new features, including a new user interface. Some claim that Google hid this new change in the Chrome 69 release, hoping that nobody would spot it among all the goodies the company added to its browser, hence, the reason why it did take over two weeks for Google aficionados to spot the update.

Green's social media clout, along with some heated Twitter conversations, did manage to push things at Google's HQ, and Chrome engineers have told Green that Google will clarify Chrome's Privacy Policy to reflect Chrome's new mode of operation.

Though this policy update may satisfy some lawyers in Google's cozy offices, this does not address the issue that Google has modified a Chrome feature without telling users, and that modification might lead to serious privacy breaches.

Microsoft has suffered a major reputational blow due to its initially hidden Windows 10 telemetry practices, and so has Facebook in the recent Cambridge Analytica scandal. Twitter is also known to be flooded with bots, fake news, and political influence campaigns, and Reddit is a home for communities dedicated to abuse, harassment, and physical threats.

Through the years, Google has managed to keep a shiny reputation, despite being known to be the biggest data hoarder around. It's usually shady behavior and small things like these that bring down a company's reputation. Oh, wait!

As one of the ZDNet readers pointed out earlier today on Twitter, users can disable the sneaky auto-login behavior by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.

[perdido]

Google Chrome Begins ‘Syncing’ All Browser Data to Your Identity Without Asking

google chrome. All the people that promote chrome are complicit.

If you drink from the google trough your most innermost secrets belong to google. And anyone that will pay google for that info.

Works hand-in-hand with govt. data profiling.

google developed a china search engine that keeps the china jackboot on the neck of chinese citizens. And who else???

If you use google you contribute to repression of the masses, its a control thing for the govt., a $$$$ thing for google.





.

.

.

[Burn_IT]

As one of the ZDNet readers pointed out earlier today on Twitter, users can disable the sneaky auto-login behavior by accessing the chrome://flags//#account-consistency page and disabling the Account Consistency option.

But only if you read the article or this post. Otherwise it is a "hidden" feature.

[rufwoof]

Bookmarks are a very unique means to identify you for G to associate your history with. Chrome is a good browser, I recently switched over from FF. I am however running it with no bookmarks, cleared cache and config before and after running (Chrome is 5 million lines of code already before G add in additional cached stuff) and under OpenBSD chrome is pledged/unveiled (started with --enable-unveil command line parameter), so it only sees ~/Downloads (unveil) and has limited memory access (pledge).

[Moat]

google developed a china search engine that keeps the china jackboot on the neck of chinese citizens. And who else??

Yes - interesting... even some of Google's own employees appear to be going public (even quitting) in protest over it (YaY!);

https://www.vox.com/2018/9/25/17901252/ ... na-project

Bob

[rufwoof]

Mobiles have location identification that pin you down to within a few metres, and more often are a single individual. Static (ethernet) IP's identify individual homes/buildings - name, address, landline number ...etc. - often potential multiple users. Whilst bookmarks uniqueness are a means to identify likely individuals, there are other ways such as browser/OS/screensize, or even the speed of typing ..etc. that further refine down to individual devices/persons. Or a individual can be deduced - if the location/activity of four out of a family of five are known then even if the 5th person is cloaked activities might still be attributed to likely being by them.

Complaining about China openly monitoring - whilst ignoring the likes of the British/US ..etc governments who also (less openly) monitor ??!!

Car registration identification, facial recognition ...etc. all feed into the system. UK HMRC (tax) office are even working towards you not having to do your own tax declarations, but rather where they pre-prepare all of that and copy to you for final signature/agreement. A concern is that once a state knows everything about you, where and when you are, where all your asset are, then your assets are no longer yours, but rather just a loan by the state, potentially confiscated by the state at any time. Fine under more moderates state government, but if/when a more extreme government rises to power (we're close with a potential significant majority Marxist government here in the UK) then !!!

[rufwoof]

Brexit provides a clue. UK - we don't need a physical NI customs border as we can do it all electronically (EU opine that to be impossible - perhaps because their level of surveillance is a way behind the UK's).

[Burn_IT]

As for the UK tax forms, I find that useful since the majority of the information is the same from year to year and you ae invited to correct any changed information.
I get very cross with all the forms I have to fill in from scratch every time, especially when the people concerned come back and highlight the differences and ask if you mean it or complain because you didn't tell them about the change in circumstances.
I have even had my local council threatening action because I got the date of a change wrong BY ONE DAY (I'd said a Saturday rather than a Friday because I looked up when I had received the notification rather than the date of change.)
That was the same office that once stopped my pension for three months(until I threatened them with court) because they said I hadn't notified them about a maturing endowment policy payment - which wasn't any of their business anyway. The thing was that I had anticipated that they might be funny about it and had used registered post and had a signature and date of receipt by them.

[Mike Walsh]

And this is why I no longer 'sync' Chrome. Only locally, between Puppies.

Multiple Pups share a common, remote browser, sym-linked into each one where they expect to find it. Each Pup thinks it's a local install.

Bookmarks are saved as an HTML file, so if I want to set up a USB Pup, f'r instance, they're added manually. Extensions are installed once.....and become part of the 'common' profile, which all share.

It's not perfect (far from it), but it does allow a uniform browsing experience, regardless of the Puppy I'm using for the day. And Google is receiving far less information from me than they would otherwise get.....

(*shrug*)


Mike.

[rufwoof]

This is my bookmarks html file Mike. I've had to split the inline image of a calculator icon onto separate lines (added newline's) for posting here, whereas in the actual file its all one long line. The chrome tab title shows that icon + 16:48 Wed 26 Sep ... type format title, and when I activate that tab it contains all my manually maintained bookmarks. I open that by default as my first tab. As I use cwm that has each window in effect maximised with no borders or titles (window decorations) chrome in effect is the desktop, so having date/time visible in that is useful. alt-? cwm command to open a program (type first few characters of program name and press enter), alt-tab to flip between windows. I do leave a 1 pixel gap at the top of screen so I can desktop left/middle/right mouse click there to pop-up the main windows/program menus.

Beneath that the deskop wallpaper is just a picture, no icons, toolbars ... nothing. Nothing like your artworks/arrangements.

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>

<!-- javascript to show the current time/date in the title i.e. on the browser tab -->

<TITLE>Time</TITLE>

<!-- favicon (image of a clock) base64 ... -->
<link href="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIA
AAAAAAAAQAABILAAASCwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
DQAAAEEAAABTAAAAUwAAAFQAAABTAAAAQgAAAA0AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAACAAAAPgAAAFgAAABJAAAANwAAAFEAAABcAAAAMgA
AAEwAAABVAAAAQAAAAAIAAAAAAAAAAAAAAAAAAAACAAAATwAAAEUAAABmA
AAAKQAAAAMAAAAtAAAANAAAAAIAAAAkAAAAaAAAAEgAAABQAAAAAgAAAAAA
AAAAAAAAQAAAAEMAAAA3AAAABAAAAE8AAAAAAAAALAAAADEAAAAAAAAATw
AAAAYAAAA0AAAARAAAAEIAAAAAAAAADgAAAFgAAABqAAAAAgAAAAAAAAAAA
AAAAAAAACwAAAAxAAAAAAAAAAAAAAAAAAAAAQAAAGQAAABbAAAAEAAAAE
UAAABBAAAAKAAAAE0AAAAAAAAAAAAAAAAAAAAsAAAAMQAAAAAAAAAAAAA
AAAAAAEsAAAAsAAAAPgAAAEgAAABTAAAAPwAAAAIAAAAAAAAAAAAAAAAAAA
AAAAAALAAAADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQAAABUAAAAVwA
AAFQAAAAmAAAABAAAAAAAAAAAAAAAAAAAAD0AAABDAAAAAAAAAAAAAAAA
AAAABAAAACEAAABJAAAAWAAAAFcAAABUAAAALwAAAAYAAAAAAAAAAAAAAA
AAAAAqAAAAjQAAAAAAAAAAAAAAAAAAAAYAAAA0AAAAXQAAAFkAAABTAAAAO
AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEAAABOAAAAAAAAAAAAAAA
AAAAAAAAAADUAAABTAAAASAAAAEgAAAAiAAAASwAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAiQAAABYAAAAAAAAASAAAACAAAABJAAAASgAAABEAAABXAAAAa
QAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAACOAAAAAAAAAAQAAA
BqAAAAVwAAABIAAAAAAAAARQAAAEUAAAAxAAAAAgAAAEsAAAAAAAAABQAAA
AYAAAAAAAAAWQAAAAIAAAAvAAAARQAAAEcAAAAAAAAAAAAAAAMAAABTAAAA
RgAAAGQAAAAmAAAAAAAAACgAAAAtAAAAAAAAACYAAABjAAAARQAAAFQAAA
AEAAAAAAAAAAAAAAAAAAAAAwAAAEUAAABXAAAASQAAADcAAABSAAAAUwAA
ADYAAABJAAAAWQAAAEcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAEQAAAEkAAABTAAAAWAAAAFgAAABTAAAASgAAABIAAAAAAAAAAAAAAAAAA
AAA8A8AAMADAACAAQAAgkEAAA5wAAAOcAAAHngAAA5wAAAOMAAAHzgAAA8
QAAAPgAAAgkEAAIABAADAAwAA8A8AAA==" rel="icon" type="image/x-icon">

</HEAD>
<BODY>
<SCRIPT type="text/javascript" language="JavaScript">
 function datetime() { 
   var objToday = new Date();
   weekday = new Array('Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat');
   dayOfWeek = weekday[objToday.getDay()];
   dayOfMonth = today + ( objToday.getDate() < 10) ? '0' + objToday.getDate() : objToday.getDate();
   months = new Array('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 
 		      'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
   curMonth = months[objToday.getMonth()];
   curYear = objToday.getFullYear();
   curHour = objToday.getHours() > 12 ? objToday.getHours() - 0 : (objToday.getHours() < 10 ? "0" + 
		      objToday.getHours() : objToday.getHours());
   curMinute = objToday.getMinutes() < 10 ? "0" + objToday.getMinutes() : objToday.getMinutes();
   curSeconds = objToday.getSeconds() < 10 ? "0" + objToday.getSeconds() : objToday.getSeconds();
   var today = curHour + ":" + curMinute +  " " + dayOfWeek + " " + dayOfMonth + " " + curMonth;
   document.title = today;
 }
 datetime();
 setInterval("datetime()",60000);
</SCRIPT>
<CENTER>
<!-- target _blank ensures opens in a new tab -->
<a href="http://murga-linux.com/puppy" target="_blank">Puppy Linux Forum</a><br>

.
.
.
</body></html>

[rufwoof]

I get very cross with all the forms I have to fill in from scratch every time, especially when the people concerned come back and highlight the differences and ask if you mean it or complain because you didn't tell them about the change in circumstances.
I have even had my local council threatening action because I got the date of a change wrong BY ONE DAY (I'd said a Saturday rather than a Friday because I looked up when I had received the notification rather than the date of change.)
That was the same office that once stopped my pension for three months(until I threatened them with court) because they said I hadn't notified them about a maturing endowment policy payment - which wasn't any of their business anyway. The thing was that I had anticipated that they might be funny about it and had used registered post and had a signature and date of receipt by them.

Oh the joys of HMRC tax investigations. Sure they just pluck handfuls out as targets to investigate each year and if you're unfortunate enough to be a 'winner' boy is it painful. Weeks on end of to-and-fro, having to dig out documents from years ago in some cases for proof, and tight time demands, often with the letter posted date being a week after the letter content date, demanding a reply within 3 weeks of notification (date of letter). Having to put the rest of life on hold for around 3 months whilst you sigh with relief one day in having got the last inquiry sorted, only to receive another a day later. As you say on the pretext of pennies out or days out (perhaps as the excuse as to why you'd randomly been selected for investigation). Let alone trying to contact them by phone - hours of more often wasted time. Worst thing to become popular, customer enquiry response times being measured by how quickly they answered the phone, commonly resolved by installing auto answer machines, so you start paying for calls immediately, without even getting to speak to a real person for half a hour ... if you're lucky.

Not had one for around 4 years now, so I've probably just jinxed myself.

[Burn_IT]

Oh! they tried the "date of this letter" trick on me as well. They actually predated a letter so that I didn't actually receive it till after the 7 day reply date. Where they made a mistake on that one was including information in the letter that they didn't actually have until later than the letter date because I hadn't given it to them until later and had verifiable proof of it.

I don't think I was being chosen at random, mainly because I also ran my own business and dealt with the taxes and VAT returns for that myself.

The curious part is that the government was one of the largest parts of my company's custom. (SIC)

I seldom trust anyone in business so I have a habit of covering my posterior whenever possible and that includes keeping copies of ALL official correspondence and refusing to give/receive official information over the phone where at all possible.

[perdido]

google developed a china search engine that keeps the china jackboot on the neck of chinese citizens. And who else??

Yes - interesting... even some of Google's own employees appear to be going public (even quitting) in protest over it (YaY!);

https://www.vox.com/2018/9/25/17901252/ ... na-project

Bob

As google deflects and denies. as usual when they are caught.
Google dodges questions about China during Senate privacy hearing

.

[perdido]