For years, Google has given users of its Chrome browser the option of surfing the web without logging in.
But a security expert says Google quietly changed its requirements so that when a user logs in to a Google service such as Gmail, Chrome will automatically sign into their account.
Google tucked the new login requirements into the latest Chrome update without notifying users, Matthew Green, a cryptography expert who teaches at Johns Hopkins University, said in a blog post on Sunday.
The blog post, titled “Why I’m done with Chrome,” began generating debate on Sunday evening and appeared to send Chrome’s managers into damage control.
By being logged in, Chrome users could unwittingly send their browser data to Google, according to Green. He added that Chrome managers told him that just being logged into Chrome didn’t mean a user’s browsing information would be sent to Google — they would still need to activate the “sync” feature before a data transfer could occur.
This is where Green, who said he quit using Chrome because of the change, reserved some of his harshest criticism of Google. He called the Chrome sync-consent page a “dark pattern,” a term describing a user interface designed to deceive or mislead people.
“Now that I’m forced to log into Chrome,” Green wrote, “I’m faced with a brand new menu I’ve never seen before.” He suggested it could lead users to mistakenly consent to the sync, adding that before the login change, Chrome users had to key in their credentials to log in and then could consent. Now, users are a single — possibly accidental — click away from turning over their browsing history to Google, Green said.
Google referred Business Insider to a series of tweets posted early on Monday from Adrienne Porter Felt, a Chrome engineer and manager. In one tweet, she confirmed that Google had changed the login procedures. She also stressed that though users are logged in to Chrome, they must still consent to a sync before their data could be transferred to Google.
Green said it was “nuts” for Google to suggest users are safe because of the sync-consent page.
Green wrote: “If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me?”
According to a report on Business Insider