Google actually listens to users, hands back cookies and rethinks Chrome auto sign-in

Hides don't-be-creepy switch in browser settings as spectre of GDPR looms

56 Reg comments Got Tips?

Stung by criticism over its creepy cookie hoarding and automatic sign-in in Chrome, Google has pulled a swift U-turn. Kind of.

kids drink milkshake

That syncing feeling when you realise you may be telling Google more than you thought


Chrome 70, due in October, walks back controversial changes in the browser that had the privacy world all aflutter as Google said it heard and "appreciates" the feedback it got from users.

Doubtless still hiding behind the sofa in Google HQ, Chrome product manager Zach Koch trotted out the earlier excuse that automatically signing a user into Chrome when logging into a Google property was absolutely fine. He went further, showing a blown-up image of the browser to, er, demonstrate how clear the signed-in indicator was.

While still insisting that everything was peachy because this didn't also auto-enable a Sync slurp of the browser history, Koch proffered a compromise. An option to prevent the sign-in will be tucked away in the Privacy and Security settings, and if turned off, Chrome would behave as it always has.

The Register has contacted Google to check what the default behaviour of this switch is going to be. After all, if it silently defaults to On and the user has to hunt through the UI to turn the thing off, this is little more than a gesture.

Koch also highlighted tweaks to the Chrome UI to make it clearer if Sync is running or not. In our testing, the option "everything" was the default for Sync, requiring a user to opt out of a full slurp rather than opt in.

Finally, Koch assured users that Chrome's greedy hoarding of Google cookies will stop. Deleting all cookies will mean all cookies are deleted, you lucky, lucky people.

Independent cybersecurity and privacy researcher Dr Lukasz Olejnik reckoned that the changes, introduced silently in Chrome 69, were significant enough to merit a data protection impact assessment (DPIA) under GDPR.

Olejnik went on to say that the tweaks appearing in Chrome 70 further enriched the case. "In effect, Chrome 70 is shipping changes, addressing the issue in a reactive fashion. It is interesting to see Privacy by Design (not) at work."

For many, it is too little and too late.

The final word goes to Olejnik, who observed: "Would that [have] happened had nobody noticed? What if no privacy/trust-fluent folks had uninstalled Chrome? Who would watch then?"

Who indeed. ®


Biting the hand that feeds IT © 1998–2020