Wtf I Am Tired Signing Into Google Over Over Again

This web log is mainly reserved for cryptography, and I try to avoid filling information technology with random "someone is wrong on the Net" posts. After all, that's what Twitter is for! Merely from fourth dimension to time something bothers me enough that I have to make an exception. Today I wanted to write specifically about Google Chrome, how much I've loved it in the past, and why — due to Chrome'due south new user-unfriendly forced login policy — I won't be using it going forward.

A cursory history of Chrome

When Google launched Chrome x years ago, it seemed like one of those rare cases where everyone wins. In 2008, the browser market was dominated by Microsoft, a company with an ugly history of using browser dominance to crush their competitors. Worse, Microsoft was making noises about getting into the search business. This posed an existential threat to Google's internet properties.

In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just past keeping the Internet open up to Google's other products. As a do good, the Internet customs would receive a terrific open source browser with the best development team money could buy. This might exist kind of deplorable for Mozilla (who take paid a high price due to Chrome) but overall it would be a proficient thing for Internet standards.

For many years this is exactly how things played out. Sure, Google offered an optional "sign in" characteristic for Chrome, which presumably vacuumed up your browsing data and shipped information technology off to Google, only that was an option. An selection yous could hands ignore. If you didn't take advantage of this option, Google's privacy policy was clear: your data would stay on your computer where it belonged.

What changed?

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every fourth dimension you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It'll do this without asking, or even explicitly notifying you. (However, and this is of import: Google developers claim this will not actually start synchronizing your data to Google — all the same. Meet further below.)

Your sole warning — in the event that yous're looking for it — is that your Google profile picture volition appear in the upper-right hand corner of the browser window. I noticed mine the other mean solar day:

The change hasn't gone entirely unnoticed: it received some vigorous discussion on sites like Hacker News. Just the mainstream tech press seems to take ignored information technology completely. This is unfortunate — and I hope it changes — because this update has huge implications for Google and the hereafter of Chrome.

In the rest of this post, I'm going to talk about why this matters. From my perspective, this comes downwardly to basically 4 points:

1. Nobody on the Chrome development team can provide a articulate rationale for why this change was necessary, and the explanations they've given don't make any sense.
2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
3. The change makes a discuss of Google'due south own privacy policies for Chrome.
4. Google needs to stop treating customer trust like information technology's a renewable resource, because they're screwing upward badly.

I warn you that this will get a chip ranty. Delight read on anyway.

Google's stated rationale makes no sense

The new feature that triggers this machine-login behavior is called "Identity consistency between browser and cookie jar" (HN). Afterward conversations with two separate Chrome developers on Twitter (who will remain nameless — generally considering I don't want them to detest me), I was given the post-obit rationale for the modify:

To paraphrase this explanation: if you're in a situation where you've already signed into Chrome and your friend shares your calculator, and then you can wind up accidentally having your friend'southward Google cookies get uploaded into your account. This seems bad, and certain, we want to avoid that.

But notation something disquisitional about this scenario. In gild for this problem to apply to yous, you already have to be signed into Chrome. In that location is absolutely nil in this trouble description that seems to bear upon users who chose not to sign into the browser in the first identify.

So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in? I could waste material a lot more ink wondering about the mismatch between the stated "problem" and the "gear up", merely I won't bother: because nobody on the public-facing side of the Chrome team has been able to offer an caption that squares this circle.

And this matters, considering "sync" or not…

The change has serious implications for privacy and trust

The Chrome team has offered a single defence force of the alter. They point out that simply because your browser is "signed in" does non mean it's uploading your data to Google's servers. Specifically:

While Chrome will now log into your Google account without your consent (following a Gmail login), Chrome volition not activate the "sync" characteristic that sends your data to Google. That requires an additional consent stride. So in theory your data should remain local.

This is my paraphrase. Just I remember it's fair to characterize the general stance of the Chrome developers I spoke with as: without this "sync" characteristic, in that location's nothing wrong with the change they've made, and everything is just fine.

This is nuts, for several reasons.

User consent matters. For ten years I've been asked a single question past the Chrome browser: "Exercise you lot want to log in with your Google account?" And for ten years I've said no thanks. Chrome withal asks me that question — it'south merely that at present it doesn't honor my decision.

The Chrome developers want me to believe that this is fine, since (phew!) I'm still protected by one additional consent guardrail. The trouble hither is obvious:

If you didn't respect my lack of consent on the biggest user-facing privacy pick in Chrome (and  didn't even notify me that you had stopped respecting information technology!) why should I trust any other consent selection you lot give me? What stops you from changing your mind on that option in a few months, when we've all stopped paying attending?

The fact of the matter is that I'd never even heard of Chrome's "sync" option — for the uncomplicated reason that up until September 2018, I had never logged into Chrome. Now I'm forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my information local as the barriers betwixt "signed in" and "not signed in" are gradually eroded away.

The Chrome sync UI is a dark pattern. Now that I'k forced to log into Chrome, I'm faced with a brand new carte du jour I've never seen before. Information technology looks similar this:

Does that large blueish button signal that I'thousandalready synchronizing my data to Google? That's scary! Wait, maybe it'due south an invitation to synchronize! If so, what happens to my data if I click it past accident? (I won't requite information technology the answer away, you should go find out. But make certain yous don't accidentally upload all your data in the process. It can happen quickly.)

In curt, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — inbound my Google credentials and signing into Chrome — into something I tin can now do with a unmarried accidental click. This is a nighttime pattern. Whether intentional or not, information technology has the issue of making information technology easy for people to actuate sync without knowing information technology, or to think they're already syncing and thus there's no additional toll to increasing Google's access to their data.

Don't take my word for it. It even gives (former) Google people the creeps.

Large brother doesn't need to really watch you. We tell things to our web browsers that we wouldn't tell our best friends. We do this with some vague understanding that yes, the Internet spies on us. But we also believe that this spying is weak and probabilistic. Information technology's not like someone's standing over our shoulder checking our driver'south license with each click.

What happens if you lot take that belief away? At that place are numerous studies indicating that even theperception of surveillance can significantly profoundly magnify the caste of self-censorship users force on themselves. Volition user feel comfortable browsing for information on sensitive mental health conditions — if their real name and picture are always loaded into the corner of their browser? The Chrome development team says "aye". I think they're wrong.

For all we know, the new approach has privacy implications even if sync is off.The Chrome developers claim that with "sync" off, a Chrome has no privacy implications. This might be true. Just when pressed on the bodily details, nobody seems quite sure.

For example, if I accept my browser logged out, and then I log in and plough on "sync", does all my by (logged-out) data get pushed to Google? What happens if I'yard forced to be logged in, and then afterward plow on "sync"? Nobody tin quite tell me if the data uploaded in these weather condition is the same. These differences could actually matter.

The changes make hash of the Chrome privacy policy

The Chrome privacy policy is a remarkably simple document. Unlike most privacy policies, information technology was clearly written as a hope to Chrome's users — rather than equally the usual lawyer CYA. Functionally, it describes 2 browsing modes: "Bones browser style" and "signed-in mode". These modes take very dissimilar properties. Read for yourself:

In "basic browser fashion", your data is stored locally. In "signed-in" fashion, your data gets shipped to Google's servers. This is easy to understand. If you want privacy, don't sign in. But what happens if your browser decides to switch y'all from i mode to the other, all on its own?

Technically, the privacy policy is still authentic. If you're in bones browsing mode, your data is still stored locally. The trouble is that you no longer get to decide which mode you're in. This makes a mockery out of whatever intentions the original drafters had. Maybe Google will update the document to reflect the new "sync" distinction that the Chrome developers have shared with me. We'll encounter.

Update: After I tweeted about my concerns, I received a DM on Sunday from two unlike Chrome developers, each telling me the good news: Google is updating their privacy policy to reflect the new operation of Chrome. I recollect that's, um, skilful news. Merely I also can't help but notation that updating a privacy policy on a weekend is an awful lot of problem to go to for a modify that… apparently doesn't even solve a problem for signed-out users.

Trust is not a renewable resources

For a company that sustains itself past collecting massive amounts of user data, Google has  managed to avoid the negative privacy connotations we associate with, say, Facebook. This isn't because Google collects less data, it'south just that Google has consistently been more than attentive and responsible with it.

Where Facebook volition routinely change privacy settings and apologize subsequently, Google has upheld clear privacy policies that it doesn't routinely modify. Sure, when it collects, it collects gobs of data, but in the cases where Google explicitly makes user security and privacy promises — it tends to go along them. This seems to be changing.

Google's reputation is difficult-earned, and information technology can be easily lost. Changes like this burn a lot of trust with users. If the change is solving an admittedly critical problem for users , then maybe a loss of trust is worth it. I wish Google could convince me that was the case.

Conclusion

This mail service has gone on more than long enough, but before I finish I want to accost ii common counterarguments I've heard from people I more often than not respect in this area.

I argument is that Google already spies on you via cookies and its pervasive advertising network and partnerships, so what's the large deal if they strength your browser into a logged-in state? I individual I respect described the Chrome change equally "making you wear ii name tags instead of ane". I call back this objection is silly both on moral grounds — just because you lot're violating my privacy doesn't make it ok to add a massive new violation — but too because it's objectively lightheaded. Google has spent millions of dollars adding additional tracking features to both Chrome and Android. They aren't doing this for fun; they're doing this considering it conspicuously produces data they want.

The other counterargument (if you lot desire to call information technology that) goes like this: I'm a n00b for using Google products at all, and of course they were always going to do this. The extreme version holds that I ought to exist using lynx+Tor and DJB's custom search engine, and if I'm not I pretty much deserve what's coming to me.

I reject this argument. I think Information technology's entirely possible for a visitor like Google to make adept, usable open up source software that doesn't massively violate user privacy. For 10 years I believe Google Chrome did just this.

Why they've decided to change, I don't know. It makes me sad.

burnettyouggs89.blogspot.com

Source: https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/

Share this post