How an update to Chrome set things back
Huge tech companies will pull all manner of tricks to get your data, writes Shaun Prescott.
Google’s Chrome 69 update caused quite a kerfuffle when it rolled out in September, for one fairly innocuoussounding reason. In theory, the company had intended to streamline the log-in process across its various sites, including Gmail and YouTube. While previously you’d need to sign into each of these entities individually, 69 made it so a single log-in via any of these channels would sign you into the associated Google account on the browser level. This means that once you’ve signed into one account, you’d be signing into Chrome with a Chrome account.
According to Google Chrome engineer and manager Adrienne Porter Felt, these changes were made “to prevent surprises in a shared device scenario”. She continued: “In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device.” That sounds sensible in theory, but it neglects one user group: those who do not want to be signed into Chrome. With Chrome 69, Google made signing into the browser mandatory for anyone signing into Gmail or YouTube on any device.
Worse still, a new option to “sync” account data between signed-in devices appeared purposely vague: users new to the concept of logging into Chrome, couldn’t tell whether their data was syncing, or whether they were being offered to have their data synced. It seemed deliberately manipulative, according to cryptographer and John Hopkins University professor Matthew Green.
“In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click,” Green wrote in a blogpost on the matter. “Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data.”
After widespread condemnation for the move, Google allowed users to opt out of auto-browser log-in with the October release of Chrome 70 (it’s still “on” by default). Still, Google’s quiet attempt to corral its users into acquiring a Chrome account – not to mention the obscure “syncing” functionality – is an example of “dark pattern” user interface design. In other words, UI design that subverts its own established patterns in order to trick the user into opting into something.
Dark pattern design is a common strategy for dodgy software installers. For example: you’re prompted to tick a box to opt-in to the terms and agreements, but then you’re required to tick a box in order to opt-out of some third-party software demo being installed. These tactics were once the sole province of spam, viruses and hacks, but the likes of Facebook and Google are adopting the practice. “Data is the new oil,” is a widely repeated soundbite in 2018. And whether that’s true or not, tech companies are getting more and more desperate for it. Be vigilant.