Crowdpower!
Even the mighty, all-seeing EoG (eye of Google) can’t always predict how its users are going to feel about new features that are so “obviously” cool that they get turned on by default.
Here at Naked Security, we’ve always favoured opt in, where new features really are so nice to have that users can’t wait to enable them, rather than opt out, where users get the choice made for them and can’t wait to find out how to undo it.
So, we weren’t surprised that there was quite some backlash from Google Chrome users when the latest update to the world’s most widely-used browser changed the way that logging in worked.
As we reported earlier this week:
Users were complaining this week after discovering they’d been logged in to Google’s Chrome browser automatically after logging into a Google website.
In the past, by default, logging into Gmail and Chrome were two separate actions – if you fired up Chrome to read your Gmail, you wouldn’t end up logged in to Chrome as well.
You could choose to enable what’s often referred to as single sign-on, but it wasn’t out-of-the-box behaviour.
But Google – surprise, surprise – figured that what it calls “sign-in consistency” would be such a great help (to Google, if not necessarily to you) that it started doing a sort of single sign-on by default, instead of treating your various Google accounts separately.
As you can imagine, or have probably experienced for yourself if you are a Chrome user, that’s a rather serious sort of change to do without asking.
It’s a bit like a home automation system deciding that after the next firmware update it will start unlocking all your doors at the same time whenever you open your garage, even though that’s not how it worked before.
You can just imagine the marketing focus group arguing for this feature – it means you can park and then go straight on into your house with your arms full of groceries without fumbling for your keyfob a second time, and why did we never think of that before?
“Hey,” the focus group choruses, “A vocal minority has been shouting for this feature so we absolutely must have it, and everyone should get it right away just to prove that we’re clever!”
And you can imagine the techies arguing just as strongly against it – you could easily end up leaving your whole house unlocked unintentionally, and why did we ever think that was a good idea?
“Back off,” retort the techies, “You can’t loosen up security settings and then wait for users to realise by accident, so no one should get it without being asked first.”
Of course, you can also imagine the marketing team winning the battle: because frictionlessness; because cool; because shiny new feature; because progress; because, well, because “duh”! (Because lead generation opportunities, too, but let’s just think that instead of saying it out loud.)
Well, Google has capitulated, sort of.
The company still thinks you ought to appreciate the new feature of autologin, and it pretty much implies that you’re wrong if you feel otherwise, but it has had the good grace to pay attention nevertheless:
We’ve heard — and appreciate — your feedback. We’re going to make a few updates in the next release of Chrome (Version 70, released mid-October) to better communicate our changes and offer more control over the experience.
What Google doesn’t seem to have done is to revert the unpopular change to the status quo ante – by default, as far as we can see, you’ll still get logged into Chrome automatically whenever you log in to some Google service in Chrome, if you see what we mean.
There will now be a switch you can toggle to turn autologin off, but you’ll need to go there yourself and flip said switch.
Our preference is still for opt in by default, so we’d be happier to see Google add the toggle and set it off until turned on.
But we’re willing to be thankful for small mercies, and to applaud Google nevertheless for listening at least in part, and reacting quickly.
Jim Gersetich
What bothered me the most about the change that led to this undo, is that I use three different GMail accounts (a business account, a blogging account, and a personal account.) I’m sure glad they changed it.
Ken Sims
As far as I’m concerned, Chrome isn’t a browser, it’s a Google app, so I’ll stick with Firefox, thank-you-very-much. I did have Chrome installed for a while because it was required for a particular online service that I was using, but that service sucked so I dropped it. I kept Chrome installed and updated for a while after that until Google made some previously anti-privacy change, at which point I uninstalled it.
Anonymous
Thank you for this Paul. I never sign in to Chrome ever. I sign in to my gmail account only when I need to access it and always sign out when finished. First because I have multiple gmail accounts but mainly because I am paranoid about staying signed in to anything.
I immediately checked after reading your article by first signing into a gmail account and then opening a new instance of Chrome and what do you know there up in the right upper corner of Chrome was an icon showing me signed in. Then I checked Chrome cookies which I am obsessive about and what do you know a new cookie I have never seen before “myaccount.google.com” and also “contacts.google.com” which started showing up very recently.
Is there a way to block this now or do we have to wait for the new Chrome release in October?
Paul Ducklin
I’m not sure.
I don’t use Chrome, except from very occasionally to see if the look and feel might turn me into a faan. (I’ve just always liked Firefox more, and can’t find a reason to distrust Mozilla more than Google, and if I need a second browser I’ve got Safari pre-installed and updated on my Mac… so why change?)
Any Chrome fans able to advise?
Ken Sims
As noted above, I no longer have Chrome installed, but I found the following:
Load chrome://flags/#account-consistency in the browser’s address bar.
Click the associated drop-down and set the value to disabled.
Restart Chrome.
Anonymous
Thank you Ken.
I had checked through flags but I guess I missed that or didn’t realize that was what I needed. I have had nothing but issues with Chrome since it updated to Chrome 69. I have always turned off suggesstions for omni box and search box. Now however it is just ignoring the fact it is turned off and it is driving me nuts. As well it is trying to tell me how to spell even though that also is turned off. So every time I type “colour” it nags me to be a Trumpster and make it “color”.
Anonymous
This is just Google testing the water for Fuchsia and ChromeOS (or whatever they call it). Web apps will pretty much be the norm in ten years time which will require you to be permanently logged in. I really don’t like this style of computing but I can see that it will be very convenient for a lot of people, and convenience / laziness is what Google panders to – most people will take convenience over security or privacy any time. It will soon be that it won’t matter what OS you will have as long as it is capable of running Chrome (or derivatives) then you will be able to run any app direct from any website. I just hope Mozilla keeps up.