Google has stepped into the debate over data security in its products, saying that signing out of Google “makes your authentication cookies invalid,” and that it will “be making some product changes.”
After it launched an update in Chrome 69, which meant that every time you logged into a Google service you were automatically signed into Google without notification, Google engineers have issued statements instructing on how to turn off sync in Chrome, while Chrome head Parisa Tabriz said that “the authentication cookie behavior is how we keep things synchronized” but feedback had been “heard and appreciated.”
This led to some privacy concerns about sharing of data between different Google services. Google’s Privacy notice states: “Chrome periodically sends information to Google to check for updates, get connectivity status, validate the current time, and estimate the number of active users.”
Cryptographer Matthew Green published a lengthy blog criticizing the update, saying that the change has “serious implications for privacy and trust” as “if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.”
Green also highlighted issues in situations such as user searching for mental health conditions, asking how comfortable would they be if their real name and picture were always loaded into the corner? “The Chrome development team says ‘yes’. I think they’re wrong.”
In an update published on Wednesday September 26, Chrome product manager Zach Koch insisted that “this change to sign-in does not mean Chrome sync gets turned on” and users “who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such as turning on sync” and the addition is intended to remind users which Google Account is signed in and better help users who share a single device.
In a planned update in Chrome 70, due in October, a control will be added which allows users to turn off linking web-based sign-in with browser-based sign-in. Users that disable this feature will not be signed into Chrome if they sign into a Google website.
“We’re also going to change the way we handle the clearing of auth cookies. In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared. We will change this behavior so that all cookies are deleted and you will be signed out.”