Google Chrome is arguably the best browser to provide a seamless sync experience. Sign in with your Google Account and you'll have access to your passwords, bookmarks, autofill data, and more on all devices, regardless of platform. From a security point of view, you are sure that you have to manually log in to the browser before you start syncing your data. Straight? You couldn't be more wrong.
To celebrate Chrome's 10th anniversary, Google decided to do something drastic and rather stupid: log into Chrome when you really don't mean to. But how? And what does the Allow Chrome Sign-In option present in Chrome's Advanced Settings panel do all of a sudden? Well, that's what you're about to find out, so read on.
Google Chrome forcibly logs you in
Starting with Chrome version 69, Google ushered in a completely redesigned user interface. But it's not just the aesthetics that have changed. Sign in to a Google web app, be it Gmail, Drive, or YouTube, and you're now also signed in automatically at the browser level. You can see this by clicking on the newly implemented portrait icon next to the address bar.
It seems ridiculous and totally unnecessary. Why would you want to sign in to Chrome just because you want to use one of Google's products? Isn't that risky on shared devices? Wouldn't that compromise your data by syncing everything locally?
Sign in to a Google web app, be it Gmail, Drive, or YouTube, and you're now also signed in automatically at the browser level.
Well, the questions are many and there are many concerns. But even if Chrome forcibly signs you in, your data won't start syncing locally unless you explicitly specify it. At least Google got that part right, but the whole thing still doesn't make sense. So why did Google implement this change in the first place?
An engineering lead from Chrome's dev team somewhat attempted to explain the whole thing in a meandering series of tweets . To sum up these tweets, the new implementation is supposed to help keep you safe in a shared environment. The portrait menu informs you that you have signed in to a Google account on a tab and serves as a reminder to sign out of everything whenever you want to close the browser.
The new implementation is supposed to help keep you safe in a shared environment
Mais désolé, Google – personne ne va acheter ça. La signature forcée des utilisateurs dans le navigateur semble être une solution imparfaite pour protéger les données personnelles sur un bureau ou un appareil partagé. Que se passe-t-il si vous oubliez complètement de vous déconnecter de l’application Web ? Maintenant que vous êtes également connecté automatiquement au niveau du navigateur, cela signifie que vos données personnelles sont encore plus en danger. Un étranger n’a qu’à cliquer sur ce bouton Activer la synchronisation pour télécharger tous vos éléments synchronisés localement.
Entrant : Autoriser la connexion à Chrome
Bien sûr, la tentative de Google de vous connecter automatiquement à Chrome ne s’est pas exactement adaptée aux utilisateurs. Le cryptographe Matthew Green, dans son article de blog « Pourquoi j’en ai fini avec Chrome », est allé en détail pour expliquer ce qu’il pensait que la nouvelle fonctionnalité de Chrome était un « modèle sombre ». Voici un extrait :
Ce gros bouton bleu indique-t-il que je suis déjà en train de synchroniser mes données avec Google ? C’est effrayant! Attendez, c’est peut-être une invitation à synchroniser ! Si oui, qu’advient-il de mes données si je clique dessus par accident ?
La citation ci-dessus a beaucoup de sens. Les schémas sombres poussent les gens à faire des choses qu’ils ne veulent pas vraiment faire. Et dans ce cas, bien que Chrome ait besoin de votre consentement explicite pour démarrer la synchronisation, le fait que vous soyez déjà connecté, combiné à la mise à disposition d’un bouton Activer la synchronisation trop grand et brillant, peut causer suffisamment de confusion pour cliquer dessus par accident.
Que se passe-t-il alors ? Non seulement vous téléchargez vos données sur un bureau partagé non protégé, mais vous téléchargez également un tas de données stockées localement sur votre compte Google. Sans oublier le fait que Google peut ensuite suivre votre activité sans trop d’effort par la suite.
Pointe: Que sont les motifs sombres ? Pour en savoir plus sur eux, lisez cet article intéressant
Google a peut-être réalisé les implications potentielles de cette décision en matière de sécurité et de confidentialité, ou peut-être pas. Mais peu importe, c’est là que la fonctionnalité Autoriser la connexion à Chrome entre en scène. Avec la sortie de Chrome v.70, vous avez désormais la possibilité d’empêcher Chrome de vous connecter automatiquement.
In Chrome's Settings panel, click on Advanced and simply disable the switch next to Allow Chrome sign-in. Once you've done that, you won't be signed into Chrome just because you wanted to use a Google web app. On personal devices, you really don't need to bother disabling Allow Chrome sign-in, but on shared desktops, it might be in your best interest to do so.
Time to use a sync passphrase
If Allow Chrome sign-in is disabled, you will no longer be automatically signed in to Chrome. But apparently, you can't always remember to do this when you frequently use shared devices. In this case, there is a solution to protect your data if you forget to log out, by creating a passphrase.
Chrome's relatively unknown "sync passphrase" feature applies an extra layer of encryption to your data. Every time you want to sync your data to a new device, you need to insert your passphrase. Otherwise, Chrome Sync simply won't work. Therefore, no one else should be able to enable syncing and access your account data without your passphrase.
Even if you turn on Chrome Sync by accident, you'll still need to insert your passphrase to start syncing your data.
To note:
The passphrase also works to prevent others from accessing the data even when reset. If you're worried about Chrome automatically signing you in, it's time you started using one.
Why not read this comprehensive guide on using a sync passphrase on Chrome to help you get started?
Privacy first, Google!
So, now you know what prompted the Allow Chrome sign-in option to appear in Chrome in the first place. Sneaky enough of Google to implement a feature to log you in at the browser level without consent, and a terrible privacy issue no matter how you look at it. But at least you now have the choice to prevent that from happening.
Fortunately, Google has heard everyone and changed a lot since Chrome 70 Beta.