Google gives Chrome users an opt-out option after going back on privacy – TechCrunch



[ad_1]

Google reacted to a reversal of a hostile privacy change this week that removes the user agency by automating Chrome browser connections, bringing data back slightly – saying that this will allow users to disable this Web connection with the browser connection in an upcoming update (Chrome 70), scheduled for next month.

Updating to Chrome 69 means that users are automatically connected to the browser when they are connected to another Google service, which does not allow them to keep these distinct digital identities.

Now, Google says there will be an option to prevent it from pinning your Chrome navigation to your Google Account – but you'll have to wait about a month to get it.

And of course, for the millions of users who never touch the default settings that are automatically connected to Google's browser when they use another Google service such as Gmail or YouTube, this will be the new standard.

Matthew Green, professor of cryptography at Johns Hopkins, reported the change in a critical note of the weekend – titled Why I'm doing with Chrome – arguing that the new "forced connection" feature blurs the previously strong barrier between "never connected" and "connected", and thus erodes the trust of the user.

Prior to the update of Chrome 69, users had to actively choose to link their web-based and browser-based IDs. But the change made by Google switches this change, making the default setting hostile to privacy by dropping the navigation activity of a Chrome user into his Google identity.

In his blog post, Google says that connecting to Chrome does not mean that Chrome sync is turned on.

So, basically, this means that while it automatically links your Chrome browsing activity to your Web (Google) activity, it does not automatically copy your browsing data to its own servers, which would allow them to generate all sorts of information related to your subject. its advertising targeting goals.

"Users who want data such as browsing history, passwords, and bookmarks that are available on other devices need to take additional steps, such as enabling synchronization," writes Zach Koch, manager of Chrome products.

But in his blog post, Green also criticizes Google's user interface for syncing with Chrome – calling it a dark model and pointing out that it's now too easy for a user to accidentally send Google a file. massive personal data. love at first sight, the company "turned the issue of consent to data download of something affirmative I had to make efforts to – enter my Google credentials and connect to Chrome – in something that I can now do with one accidental click. "

"The fact is that I have never heard of the Chrome sync option – for the simple reason that until September 2018 I was never connected to Chrome. Now I am forced to learn these new terms, and I hope the Chrome team will keep its promises to keep all my local data as the barriers between "connected" and "unconnected" are gradually eroded, "he said. also wrote Green.

Hence his decision to dump Chrome. (Other browsers are certainly available, although Chrome represents by far the largest part of the overall browser usage.)

Responding to what Koch undoubtedly calls "feedback" on the controversial changes, he says Google will "better communicate our changes."

"We are updating our user interfaces to better communicate a user's synchronization status," he wrote. "We want to be clearer about your login status and whether or not you sync data to your Google Account."

His explanation for Google rejecting the default to be hostile to confidentiality (rather than affirmative) is to state that "we believe that consistency of connection will help many of our users." confused about the connection status of Chrome ".

"We believe that these user interface changes prevent users from inadvertently performing searches or browsing websites that may be registered on another user's synchronized account," writes he too.

Although, as Green points out, connecting more people to Chrome (rather than less) is a kind of fuzzy solution for a "pollution" account problem.

The reverse switch in Chrome also means that users must take Google's word not to automatically synchronize their data on their own servers – by making another opaque change, to further automate the collection of users' personal data. .

Privacy policies that can simply be rewritten unilaterally at any time, without the consent of the user, are not worth the pixels that they claim to be inked.

Let's not forget that it is the same company that, in 2012, has grouped together about 60 separate privacy policies into a single global policy and a Google Account covering several distinct Web products, thus reducing the identities of multiple users. before that, people had been able to maintain (to try to control what Google knew about them).

Google's privacy policy is clearly a solution – far from individual agency and control – and its ability to gather more and more personal data for use by its ad targeting business.

With the Chrome update, the company has cleared another privacy firewall for users wanting to combat the collection of conglomerate profiles of their online business.

And even with the announced after-the-fact change (and only after a critical reaction), which as early as next month will allow configuration professionals to disable the default Chrome auto-link, the general travel direction of the company does not comply the user agency. at all. Rather the opposite.

Google seems to be trying to make the consent itself an afterthought – that is to say for the few people who know how to delve into the parameters. Instead of what it should be: an affirmative concept, designed to ensure confidentiality is available for everyone.

Google's efforts to erode privacy may cause problems in Europe, where a complicated new regional data protection framework makes privacy of design and defects mandatory.

Failure to comply with this element of the RGPD may result in fines of up to 2% of a company's overall annual turnover – which would not be a paltry sum for a company as heavy as Alphabet.

And, as others have pointed out, Google is making a big difference to how Chrome handles connections. For example, the company would have been well advised to have completed a privacy impact assessment – to ensure that the changes made were consistent with the GDPR.

We asked Google if it had done a Data Protection Impact Assessment (DPIA) before proposing to change connections on Chrome 69 and would update this report with any response. Or if it manages EU registrations differently (which does not seem to be the case).

We also wondered if he would commit to making DPIA for Chrome public.

A spokesman acknowledged receipt of our questions but at the time of writing, the company had not sent any response.

There is another potentially problematic issue for Google here, vis-à-vis GDPR, because, according to Koch's blog post, Google authentication cookies are not currently cleared when cookies are cleared by the user .

He writes that he will "change this behavior so that all cookies are deleted and you are disconnected". But it will take about a month.

In the meantime, a user action (erasing cookies) does not result in the deletion of all cookies by Google – which sounds like a fairly clear violation of the EU's privacy rules, even if it is temporary next month.

We also asked Google not to erase all cookies.

Safely, Google's hostile privacy actions are sure to scrutiny in the EU where privacy is a fundamental right.

But the company should also face questions on the subject at a Senate committee hearing today – and should acknowledge that it has made "mistakes" on privacy issues, according to documents consulted by Reuters .

Although, apparently, she also claims to have "learned and improved our privacy program".

Some Chrome users would probably take a very different view.

[ad_2]
Source link