Who Needs Consent? Google Criticized Over Sneaky Changes To Browser Privacy Settings

Google is scrambling this week to assure users the new version of its popular Chrome browser isn’t trying to trick them into handing over personal data, after critics assailed the company for what they say is an attempt to defeat users’ efforts to maintain online privacy.

The two key issues involve users’ ability to erase cookies from their browsing history, and a new feature that automatically signs users into the Chrome browser, whenever the user signs into any Google service.

The controversy comes as Google execs were set to testify before the U.S. Congress on Wednesday, reportedly planning to admit to privacy protection failures in the past.

As many tech experts pointed out in recent days, the latest edition of Google Chrome the world’s most popular web browser, accounting for some 60 per cent of all browser use came with a few changes the company didn’t go out of its way to publicize.

For one, Chrome 69 partly defeats users’ attempts to clear their browser history. When clearing cookies the small files that keep track of details of a person’s visit to a website the browser will clear all cookies, except for those associated with Google sites.

Also, as many users pointed out, the new Chrome automatically signs into a user’s Google account if that person signs into any Google service.

Google Chrome’s privacy policy states that when you are signed in on Chrome and your Google account is synced, “your personal browsing data is saved on Google’s servers.” That data can include browing history, bookmarks, passwords and autofill information, and “other browser settings, like installed extensions.”

Automatic signing in on Chrome raises privacy concerns, wrote online security expert Matthew Green of Johns Hopkins University, one of the first people to publicly flag the changes.

“User consent matters,” he wrote on his blog. Green noted that Chrome has always asked users whether they want to sign in. “Chrome still asks me that question it’s just that now it doesn’t honour my decision.”

For many, the concern is that Google will get access to users’ browser histories and other personal data without their knowing.

But Google, in defending its changes, said that simply being signed into the browser won’t result in all of a user’s data being synced across their devices. For that to happen, users would have to agree to the “sync” function, on top of being signed into the browser. Some critics suggested it isn’t immediately obvious to users whether their browsers have been “synced” or not.

In explaining the changes, Google Chrome engineer Adrienne Porter Felt said on Twitter that the changes were actually meant to improve privacy. When more than one person uses a device, data from one user can end up affecting the browsing experience of the other. The auto sign-in feature prevents this cross-linking of data, something Felt said is a “common occurrence.”

That explanation was met with a mixed response from tech experts. Some argued the explanation makes little sense, though others said the issue of data being linked to the wrong user on a device is a legitimate problem.

Felt also noted that users can sign out of Chrome if they want to delete Google-related cookies — an explanation that was unsatisfactory to some critics, who wondered why the browser retains those cookies in the first place.

In a blog post Wednesday, Chrome project manager Zack Koch said the company is responding to public criticism about the changes, and the next version of the browser — Chrome 70, set to be released in mid-October — will stop “undeleting” Google-related cookies.

Koch also said users will be given an option in their browser settings to stop automatic sign-in, and the browser will make it more obvious whether or not a user is signed in.

However, it appears this will be an “opt-out” feature, meaning automatic sign-in will still be the default setting on the browser. That has some privacy advocates worried, as many people simply leave the default settings on their browser.

Google executives were scheduled to appear before the U.S. Senate Commerce Committee on Wednesday, where the company was expected to admit to past “failures” in protecting user privacy.

“We acknowledge that we have made mistakes in the past, from which we have learned, and improved our robust privacy program,” Google chief privacy officer Keith Enright will say in written testimony before the Senate commerce committee.

Google will testify alongside AT&T, Amazon, Apple and other companies amid growing concerns about data privacy.

A history of privacy violations

In 2012, Google agreed to pay a then-record $22.5 million US civil penalty to settle Federal Trade Commission charges that it misrepresented to Apple Safari Internet browser users that it would not place tracking cookies or serve them targeted ads.

A year earlier, Google agreed to an FTC privacy settlement and regular privacy audits for 20 years after the U.S. government charged it used deceptive tactics and violated consumer privacy promises when it launched its social network, Google Buzz.

In August, Alphabet was sued and accused of illegally tracking movements of millions of iPhone and Android phone users even when they use a privacy setting to prevent it.

With files from David Shepardson, Reuters