Google Chrome could be tracking what users are doing without them being aware of it, according to an expert in digital content protection.
Until recently Google Chrome users have been able to use the browser without logging in.
However, now when people log into a service such as Gmail they are automatically logged in without their consent.
According to cryptographer and Professor Matthew Green who wrote a blog post ‘Why I’m done with Chrome’, Google quietly made these changes several weeks ago.
Professor Green revealed that people could mistakenly activate ‘sync’, which means the firm can log users’ behaviour and access their data without them knowing.
Professor Green warned that the development has ‘enormous implications for user privacy and trust’.
For years Google Chrome users have been able to use the browser without logging in. However, now when people log into a Google service such as Gmail they are automatically logged into Chrome without their consent
‘A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience’, Professor Green from the Johns Hopkins Information Security Institute wrote in his blog.
‘From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you.
‘It’ll do this without asking, or even explicitly notifying you’, he said.
This means users are unknowingly sending their data to Google if they have the ‘sync’ feature activated, he warned.
According to Professor Green, the barriers between ‘signed in’ and ‘not signed in’ are gradually being eroded away.
This means many of Chrome’s one billion users are mistakenly consenting to their data being accessed as the Chrome sync user interface is confusing.
He believes these changes make a hash out of Google’s own privacy policies.
‘In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click.
‘This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data’, he said.
Professor Green revealed that people could mistakenly activate ‘sync’ which means the browser can log users’ behaviour and access their data without them being aware of it
A Google spokesperson directed MailOnline to a Twitter post by Chrome engineer Adrienne Porter Felt who explained that users still have to consent to have their data synced.
‘I want to share more info about recent changes to Chrome sign-in’, she wrote.
‘Chrome desktop now tells you that you’re “signed in” whenever you’re signed in to a Google website.
‘This does NOT mean that Chrome is automatically sending your browsing history to your Google account!’, she wrote.
A Google spokesperson directed MailOnline to a Twitter post by Chrome engineer Adrienne Porter Felt who explained that users still have to consent to have their data synced
She also said that the Chrome privacy notice was being updated ‘ASAP’ to make the syncing option more clear.
Last month a study from Vanderbilt University gave a look at the just how much data Google is harvesting from its users.
Researchers examined how the search giant collects information from Android mobile devices, Chrome browsers, YouTube and Photos, among other Google products.
But the most surprising revelation gleaned from the study is likely to be that Google continues to collect data even when users are browsing in incognito mode.
Google collects data in ‘active’ ways, such as when users sign into an application, as well as ‘passive’ ways that users are less likely to be aware of.
In this scenario, an application is designed to gather information on users when it’s running, sometimes without the user’s knowledge.
Last month a study from Vanderbilt University gave a look at the just how much data Google is harvesting from its users
‘The extent and magnitude of Google’s passive data collection has largely been overlooked by past studies on this topic,’ according to the study, which was published last month.
Most people assume that their browsing history is hidden from Google when they use incognito mode.
However, the study explains that Google can still link the data from incognito browsers to a specific user.
That’s because if a user logs into a Google account while a private browser is open, cookies left behind on the incognito window can identify them.
If they close out of the incognito window before logging into a Google account, then the data will be erased.
HOW DOES GOOGLE TRACK ITS USERS’ LOCATIONS OUTSIDE OF ‘LOCATION HISTORY’?
A new investigation led by the Associated Press found that some Google apps automatically store time-stamped location data without asking – even when you’ve paused Location History.
The investigation found, for example:
- Google stores a snapshot of where you are when you open its Maps app
- Automatic daily weather updates on Android phones pinpoint where you are each time the forecast is refreshed
- Simple searchers, such as ‘chocolate chip cookies,’ or ‘kids science kits,’ pinpoint your precise latitude and longitude – accurate to the square foot – and save it to your Google account
This information is all logged as part of the ‘Web and App Activity feature, which does not specifically reference location information in its description.
This is enabled by default, and stores a variety of information from Google apps and websites to your Google account.
When paused, it will prevent activity on any device from being saved to your account.
Leaving ‘Web & App Activity’ on and turning ‘Location History’ off only prevents Google from adding your movements to the ‘timeline,’ its visualization of your daily travels.
It does not stop Google’s collection of other location markers.
‘While such data is collected with user-anonymous identifiers, Google has the ability to connect this collected information with a user’s personal credentials stored in their Google Account,’ the study says.
What’s more, even if you avoid using Google services on an iOS device, the firm can still collect data on users.
Visits to non-Google webpages still registered a ‘surprisingly high’ number of communications with Google servers.
‘The number of times such Google services are called from an iOS device is similar to an Android device,’ the study noted.
‘In this experiment, the total magnitude of data communicated to Google servers from an iOS device is found to be approximately half of that from the Android device.’
Researchers were most concerned by the amount of ‘passive’ data collected via third-party networks and advertisers that aren’t owned by Google.
Google ‘learns a great deal about a user’s personal interests’ during a day of typical phone use – things like their location, routes taken, items purchased and music listened to,’ the study explained.