The latest major update to Chrome, the most popular internet browser in the world, added a small change that many perhaps missed, and that sparked a heated controversy in the privacy and cybersecurity world over the weekend.
With the new Chrome, if you log into Gmail, your avatar pops up on the upper-right corner of the window, and you can opt-in to sync Chrome with your Google account, allowing Google to sync your data across devices—that is, send a bunch of data, including your browsing history, to Google servers.
This is how it works, according to Chrome’s engineer Adrienne Porter Felt. And when I reached out to the company for comment it referred to her Twitter thread.
But before she clarified how this new Chrome feature works, many people who work on computer security and privacy on Twitter started complaining about it. Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, wrote a lengthy blog post explaining why he was “done with Chrome.”
Green complained that unlike in the past, with the new Chrome “every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.”
According to Porter Felt, as well as former Google employee Eric Lawrence, that is actually not true. Lawrence detailed very well how the new user interface works, and what you can do to avoid turning on sync in Chrome if you don’t want to.
“No, Chrome doesn’t ‘upload your browser history when you check GMail’… unless you tell it to do so,” Lawrence wrote, referring to the fact that you need to separately sign into Chrome and enable sync for that to happen. (I highly recommend reading his post before playing with your own account and settings on Chrome).
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Of course, the internet jumped to conclusions and there are already a dozen news stories that say Chrome will upload your browser history if you check your Gmail.
We have not done an analysis of how Chrome works, or the code behind it, but according to Google, all these stories are unequivocally wrong. Google did not change the way sync works on Chrome, it just changed the user interface in an attempt to make it clearer to users when they have signed into a Google service, so that they don’t forget to sign out if they’re using a shared computer. Clearly, this created new confusion, and shows that even a small UI tweak can cause a lot of trouble with software that’s used by millions of people.
Either Google is shamelessly lying here, or people have misunderstood what’s actually going on.
Either way, it’s fair to say that if you don’t like the idea of Google tracking your browsing, perhaps you shouldn’t use Google’s browser. If you decide to abandon it though, remember that it is, as of today, the most secure (not private!) browser out there.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.