A new password management method, the partial restyling of the interface and the evolution of the Omnibox are just some of the innovations introduced by bigG in Chrome 69. However, another has become the subject of discussion and debate regarding the methods of processing the data concerning the user: we speak of Google account, login and information synchronization.
Chrome and automatic login
In short, when you authenticate to one of the services made available by the Mountain View group (Gmail, Drive, Photos, etc.) through Chrome, the login it is also carried out for the browser, without explicit authorization being requested. An action that before the last update took place only and exclusively through the user's consent. This is what raises more than justified fears, brought to light in a speech shared on his blog by Matthew Green, cryptographer and professor at Johns Hopkins University, with a speech with a somewhat explanatory title: "Why I'm done with Chrome" (" Because I've had enough of Chrome ").
In any case, it should be noted that this does not involve the synchronization of personal data such as browsing history, favorites and passwords with Google servers, as Adrienne Porter Felt points out, working on the browser. To check this, simply open the software settings (chrome: // settings /).
To reiterate, signing in does NOT turn on Chrome Sync. The Chrome Help Center https://t.co/t2pPjiqkVe and Chrome White Paper https://t.co/RFlpiSSs2j have up-to-date details about this change. My colleagues are updating the Chrome privacy notice ASAP to make this more clear 6/6
— Adrienne P?rter Felt (@__apf__) September 24, 2018
According to Google, therefore, the new feature that has become the subject of discussion is nothing more than a behavior implemented in order to provide the user with a visual indication following the login made in one of its services, showing an icon linked to the personal account. in the upper right corner of the navigation window.
What the policy says
This raises a further question, related to what is specified in Chrome's privacy policy. Let's jump to the section of the Policy titled "Chrome mode with successful login", where we find the following:
If the user accesses the Chrome browser or a Chromebook with his Google account, his personal browsing data is stored on Google's servers and synchronized with his account. Such data may include: browsing history, favorites, cards, passwords and autofill data, other browser settings ...
The passage in which it is put in black and white is quite clear that:
These settings are loaded automatically whenever you log into Chrome on other computers and devices.
So has the policy changed and Google hasn't updated the document yet? Or is the synchronization (loading of settings) not done for now, but could it happen in the future? The Mountain View group states that the upload does not take place at the moment, but the rules specify that through the login the action is allowed. There's a bit of confusion.
Two possible solutions
Fortunately, the end user has the opportunity to intervene on the behavior under discussion, through a setting accessible by the flags of the browser. It is certainly not the most immediate or intuitive mode, but it takes a few seconds and is within everyone's reach. To prevent forced login in Chrome when authenticating to a Google service, simply paste the following string into the address bar:
chrome: // flags / # account-consistency
In correspondence with the flag "Identity consistency between browser and cookie jar" it is then sufficient to select the "Disabled" option.
A possible alternative is offered by browser incarnations modified ad hoc by third-party developers to be more respectful of privacy e personal informations. We report the Ungoogled-Chromium release mentioned by the BleepingComputer website, which is however based on past versions of the code and therefore does not include some of the most recent features.
Conclusions
A debate triggered just when the Chrome project celebrates its first ten years. If Google's position in this regard is quite clear (the user is provided with an additional indication on the status of the login to the services offered), it is not as immediate to understand why the "feature" was introduced without explicit communication, perhaps together. to the posts that, as usual, list all the changes made by the changelog of each new version.
It cannot be excluded that the Mountain View group chooses to turn around, removing a feature that seems to be able to alienate some users, especially those who are more attentive to the protection of privacy. After all, bigG has already proven time and time again that it is ready to welcome feedback, as in the case of the removal of the “www” and “m” subdomains from the address bar we talked about last week.
Fonte: Matthew Green Chrome and Google account: when login is forced