Google has made an important change to the way the Chrome browser works, a move the company did not advertise to its users in any way, and which has serious privacy repercussions.
According to several reports [ 1, 2, 3], starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user’s Google identity and log the user into the Chrome in-browser account system –also known as Sync.
This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google’s servers.
Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts. This allowed users to surf the web while logged into a Google account but not upload any Chrome browsing data to Google’s servers, data that may be tied to their accounts.
Now, with the revelations of this new auto-login mechanism, a large number of users are angry that this sneaky modification would allow Google to link that person’s traffic to a specific browser and device with a higher degree of accuracy.
That criticism proved to be wrong, as Google engineers have clarified on Twitter that this auto-login operation does not start the process of synchronizing local data to Google’s servers, which will require a user click.
Furthermore, they also revealed that the reason why this mechanism was added was for privacy reasons in the first place. Chrome engineers said the auto-login mechanism was added in the browser because of shared computers/browsers.
When one or more users would be using the same Chrome browser, data from one or more users would accidentally be sent to another person’s Google account.