Google Chrome arguably is the best browser around to offer a seamless sync experience. Sign in with your Google Account, and you gain access to your passwords, bookmarks, auto-fill data, and more across devices regardless of platform. Security-wise, you are safe in the knowledge that you have to manually log in to the browser before you start syncing your data. Right? You couldn’t be more wrong.
To celebrate the 10th anniversary of Chrome, Google decided to do something drastic and rather stupid — sign you into Chrome when you really don’t intend to. But how? And what’s that Allow Chrome Sign-in option present within Chrome’s Advanced Settings panel doing all of a sudden? Well, that’s what you are going to find out, so do read on.
Google Chrome Signs You in Forcibly
Starting with Chrome version 69, Google ushered a completely revamped user interface. But it’s not just the aesthetics that changed. Sign in to a Google web app, be it Gmail, Drive, or YouTube, and you are now also signed in at browser level automatically. You can view that upon clicking the newly implemented portrait icon next to the address bar.
That sounds ridiculous and entirely unnecessary. Why would you want to sign in to Chrome just because you wish to use any of the Google products? Isn't that risky on shared devices? Wouldn’t that compromise your data by syncing everything locally?
Sign in to a Google web app, be it Gmail, Drive, or YouTube, and you are now also signed in at browser level automatically
Well, the questions are many and provide ample cause for concern. But even though Chrome signs you in forcibly, your data won’t start syncing locally unless you explicitly specify that. At least Google got that part correct, but the whole thing still doesn’t make sense. So why did Google implement this change in the first place?
An engineering manager on Chrome's development team somewhat attempted to explain the whole thing in a meandering series of tweets. To sum up those tweets, the new implementation is supposed to help you stay secure in a shared environment. The portrait menu notifies you of the fact that you've logged into a Google Account on some tab and serves as a reminder to sign out of everything whenever you wish to close the browser.
The new implementation is supposed to help you stay secure in a shared environment
But sorry, Google — no one's going to buy that. Forcibly signing users into the browser seems like an imperfect solution to protect personal data on a shared desktop or device. What if you actually forget to sign out of the web app altogether? Now that you are also signed in automatically at the browser level, that means your personal data is even in greater danger. A stranger only needs to click on that Turn on Sync button to download all of your synced stuff locally.
Also on Guiding Tech
Incoming: Allow Chrome Sign-In
Of course, Google’s attempt to sign you into Chrome automatically didn’t exactly gel with users. Cryptographer Matthew Green, in his blog post ‘Why I’m done with Chrome,’ went in great detail to explain what he believed Chrome's newest feature to be a ‘dark pattern.’ Here’s a snippet:
Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident?
The above quote makes a great deal of sense. Dark patterns push people into doing stuff that they don't really mean to. And in this case, although Chrome needs your explicit consent to start syncing, the fact that you are already signed in, combined with the provision of an overly large and shiny Turn on Sync button, might cause enough confusion to click it by accident.
What happens then? You not only download your data to some unprotected shared desktop but also upload a bunch of locally stored data to your Google Account. Not to mention the fact that Google can then track your activity without too much effort afterward.
Google may have realized the potential security and privacy implications of this move, or maybe they haven’t. But regardless, that’s where the Allow Chrome Sign-in feature comes into the picture. With the release of Chrome v.70, you now have the option to stop Chrome from signing you in automatically.
On the Chrome Settings panel, click Advanced, and simply flick off the switch next to Allow Chrome Sign-in. Once you do that, you won’t be signed in to Chrome just because you wanted to use a Google web app. On personal devices, you really don’t need to take the trouble to disable Allow Chrome Sign-in, but on shared desktops, it may be in your best interest to do that.
Also on Guiding Tech
Time to Use a Sync Passphrase
With Allow Chrome Sign-in disabled, you won’t be signed into Chrome automatically anymore. But apparently, you can't always remember to do that when using shared devices frequently. In that case, there's a solution to keep your data secure if you forget to sign out — by creating a passphrase.
Chrome's relatively unknown ‘sync passphrase’ feature applies an additional layer of encryption to your data. Whenever you want to sync your data onto a new device, you need to insert your passphrase — otherwise, Chrome Sync just won't work. Hence, no one else should be able to turn on sync and gain access to your account data without your passphrase.
Even if you turn on Chrome Sync by accident, you'll still need to insert your passphrase to start syncing your data.
Note: To start using a passphrase, click Sync within the Chrome Settings panel, and then click the radio button next to Encrypt Synced Data With Your Own Passphrase.
The passphrase also works in a way that prevents others from accessing data even in the event of a reset. If you are concerned about Chrome signing you in automatically, then it’s time that you started using one.
So, you now know what prompted the Allow Chrome Sign-in option to appear within Chrome in the first place. Pretty sneaky of Google to implement a feature to sign you in at browser level without consent, and a terrible privacy-related issue no matter how you look at it. But at least you now have the choice to stop that from happening.