Google took steps to quiet critics Wednesday after irking them earlier this week when data privacy issues tied to Chrome 69 came to light.
On Sunday, Matthew Green, a cryptographer and professor at Johns Hopkins University, blasted Google for what he said were questionable privacy policies in Chrome 69, launched earlier in September. He noted that Google automatically signs users into the Chrome browser when they sign into any other Google service. A separate researcher, on Monday, also found that when he deleted cookies.txt files in Chrome, the browser clears all cookies – except for Google cookies.
Zach Koch, Chrome product manager, responded on Wednesday in a post. He said the tech giant will make a few updates in Chrome 70 to “better communicate our changes and offer more control over the experience.” The next version of Chrome will be released mid-October.
“While we think sign-in consistency will help many of our users, we’re adding a control that allows users to turn off linking web-based sign-in with browser-based sign-in—that way users have more control over their experience,” he said. “For users that disable this feature, signing into a Google website will not sign them into Chrome.”
In addition, Google will update its user interfaces to better communicate a users’ sync state – and pave out more clarity about users’ sign-in states and whether they are syncing data to their Google account. Finally, Chrome 70 will delete all cookies and users will be signed out – as opposed to keeping the Google auth cookies to enable users to stay signed in after they are cleared, in the current version of the browser.
In his Sunday blog post, Green claimed that an update to Google Chrome’s sign-in mechanism could clear a path to compromising the privacy of users’ browser data. He said that after he had signed into any Google service, such as Gmail, he was automatically signed into the Chrome browser.
At the same time, Christoph Tavan, the CTO of ContentPass, tweeted that Chrome 69 was keeping authentication cookies created for Google – even when users try to clear all their cookies.txt files in the Chrome browser.
“After hitting the “remove all” button you still don’t end up with an empty cookie jar,” Tavan tweeted.
— Christoph Tavan (@ctavan) September 24, 2018
The feature also led to harsh criticism of Google.
“If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?” Green said.
Others took to Twitter to complain, such as Akhilesh Dhawan, director of Citrix product marketing, who called the feature an “invasion of privacy.”
Thinking of giving up @googlechrome due to lack of privacy controls. Logging my browsing history, without my explicit consent, and sending to Google is invading my privacy. #GiveUpChrome #PrivacyControl
— akhileshdhawan (@akhileshdhawan) September 24, 2018
Mark Kern, who worked as a team lead for the video game World of Warcraft, a called the incident “another erosion of trust, privacy and consent over your data.”
Google Chrome is now forcing users to log in when they use the browser. Another erosion of trust, privacy and consent over your data.
— Mark Kern (@Grummz) September 25, 2018
Koch said that the feature was meant to better help users who share a single device: “We want to be clear that this change to sign-in does not mean Chrome sync gets turned on. Users who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such as turning on sync,” he said.
Parisa Tabriz, director of engineering at Google, also weighed into the debate, reassuring users via Twitter that Google has heard feedback and plans to make product changes.
We’ve heard — and appreciate — your feedback from the last few days, and we’ll be making some product changes. 4/4
— Parisa Tabriz (@laparisa) September 25, 2018
Regardless, Google’s Chrome 69 faux pas comes at a time when many tech giants are coming under fire for their privacy practices. In August, Google also came under fire after a new report alleged that Google services track customers’ movements – even when they opt out.
In July, Google, Facebook, Microsoft and Twitter also were scrutinized for their prioritization of end user privacy after announcing a standards initiative called the Data Transfer Project (DTP), which enables data portability between cloud platforms.