Tuesday, September 25th 2018
Chrome 69 Adds Forced Login, Threatens Privacy: How to Fix it
There was a time when Chrome users could be safe and think that what they did in Google Services (Gmail, YouTube, Maps, etc) was separated from their actions in the browser. One thing wasn't necessarily tied to the other, but now things have changed - and without any public disclosure from Google.
Starting with the recently published Chrome 69, if you use this version of Chrome and log into any Google service or site, you will be automatically and magically logged into Chrome with that user account. A systems architect called Bálint disclosed a problem that changes Chrome behavior in a way that could potentially harm user's privacy.
Before Chrome 69, the sign-in into the browser was optional, and it allowed you to have your cookies, history or bookmarks across all the devices on which you used Chrome. It was convenient for many people, but the user had to actually enable it with two steps: logging into Chrome, and then enabling Google Sync in the second place. Even if you were logged into Gmail, you could be using Chrome without being logged at all in the browser (or logged into it with a different user's account, for that matter).
That was the problem according to Google engineers, who have claimed the change in Chrome 69 is due to "consistency" problems. Adrienne Porter Felt, engineer & manager in Google Chrome, tweeted about this and explained that her team made this change "to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device".
The change has made a lot of people angry, though. As Bálint pointed out on his analysis, the problem lies with doing things right, and taking away that option from the user has ignited the debate on privacy. Even with Google's best intentions, the change has been seen as the latest threat on a long list of threats Google has made to their user's privacy.
Matthew Green, a cryptographer and professor at Johns Hopkins University, was even more critical about the problem when he wrote "Why I'm done with Chrome". He questioned Google rationale "for why this change was necessary", and criticized the "enormous implications for user privacy and trust" this change has.
Google engineers insist: Sync doesn't automatically turn on with the auto login, so for them the privacy problem is not that big. The problem according to Green is that user consent matters, and for many critics of the change, this is the real threat for a decision that was made to take away user consent and potentially help Google to collect more and more data.
In fact, there's even more to the story: the CTO and co-founder of ContentPass, Christoph Tavan, discovered how when the user makes Chrome clear all cookies, the browser deletes all... except from Google cookies.
Fortunately, users can disable this forced login policy. To do so, you must use Google Chrome flags and change one of the parameters to avoid problems.
The steps are the following:
1. Go to "chrome://flags/#account-consistency"
2. That will show the flag 'Identity consistency between browser and cookie jar' select "Disabled" from the drop-down menu
3. Click on "Relaunch now"
After that, you will be able to keep the old Chrome behavior, and logging into Google services and sites won't log you into Chrome.
Update (09/26/18): Google has announced a series of changes in Chrome 70 to address these issues. A blog post by one of Chrome product managers explains how the next version of Chrome will introduce controls to disable Chrome sign-in, for example. The "Delete All Cookies" option will take care of Google auth cookies too in order to remove then. Finally, they will update their UI to "better communicate a user's sync state".
Source:
Bálint's extended musings
Starting with the recently published Chrome 69, if you use this version of Chrome and log into any Google service or site, you will be automatically and magically logged into Chrome with that user account. A systems architect called Bálint disclosed a problem that changes Chrome behavior in a way that could potentially harm user's privacy.
That was the problem according to Google engineers, who have claimed the change in Chrome 69 is due to "consistency" problems. Adrienne Porter Felt, engineer & manager in Google Chrome, tweeted about this and explained that her team made this change "to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device".
The change has made a lot of people angry, though. As Bálint pointed out on his analysis, the problem lies with doing things right, and taking away that option from the user has ignited the debate on privacy. Even with Google's best intentions, the change has been seen as the latest threat on a long list of threats Google has made to their user's privacy.
Matthew Green, a cryptographer and professor at Johns Hopkins University, was even more critical about the problem when he wrote "Why I'm done with Chrome". He questioned Google rationale "for why this change was necessary", and criticized the "enormous implications for user privacy and trust" this change has.
Google engineers insist: Sync doesn't automatically turn on with the auto login, so for them the privacy problem is not that big. The problem according to Green is that user consent matters, and for many critics of the change, this is the real threat for a decision that was made to take away user consent and potentially help Google to collect more and more data.
Fortunately, users can disable this forced login policy. To do so, you must use Google Chrome flags and change one of the parameters to avoid problems.
1. Go to "chrome://flags/#account-consistency"
2. That will show the flag 'Identity consistency between browser and cookie jar' select "Disabled" from the drop-down menu
3. Click on "Relaunch now"
After that, you will be able to keep the old Chrome behavior, and logging into Google services and sites won't log you into Chrome.
Update (09/26/18): Google has announced a series of changes in Chrome 70 to address these issues. A blog post by one of Chrome product managers explains how the next version of Chrome will introduce controls to disable Chrome sign-in, for example. The "Delete All Cookies" option will take care of Google auth cookies too in order to remove then. Finally, they will update their UI to "better communicate a user's sync state".
46 Comments on Chrome 69 Adds Forced Login, Threatens Privacy: How to Fix it
Also the nr 1 privacy thing it's the Credit Card info and also the password with different shopping sites. I really don't want those to be saved on a public Cloud somewhere where there is a chance (slight but there is) that the info is shared or used in various shaddy purposes. It's not paranoia, those are already exposed facts.But this is since forever, not just with v69. o_O
The NSA has access to all data mining advertisers with tracking cookies, they can take data from multiple sources and pinpoint you according to your habits and websites you visit, even what porn you like. Google and Facebook has your name and likely your address too, coupled with cookie tracking they know who you are and can start actively gather your data. This is why there is huge fights against legislature and bills that bring up the faintest privacy concerns. If anyone really wants to read up on some privacy issues go to EFF.org.
Tickles me silly people bitching about privacy, then use Google.
If that doesn’t mean much to you, then consider how big data helped recent elections. Even if no one cares about you or me personally, our contribution to the data set is what makes things like that possible.
Anyone know of a good GMAIL replacement?
However, there are too many fools out there, like ZhangirDuyseke, who are so intoxicated by big media that they go by "if you don't have anything to hide - why bother" that it is frightening.
However, that phrase is being spoken the loudest in the US. At least that is the way I have perceived it so far. This bein said - he has a point as well. You cannot complain that this has been done while happily posting on social media for everyone to see.
Before you're asking - I have social media as well, but that is LinkedIn only - which only has my CV in order to easier apply for positions, etc. I have no Facebook, Twitter and what ever they are called though.
So yes, as mentioned by other people, privacy has nothing to do with having no info online, but rather how much and available to whom.
But I suggest you guys try it out, may not apply to all devices, regions, who knows.