Google Chrome could be tracking what users are doing without them being aware of it, according to an expert in digital content protection.
Until recently Google Chrome users have been able to use the browser without logging in.
However, now when people log into a service such as Gmail they are automatically logged in without their consent.
According to cryptographer and Professor Matthew Green who wrote a blog post ‘Why I’m done with Chrome’, Google quietly made these changes several weeks ago.
Professor Green revealed that people could mistakenly activate ‘sync’, which means the firm can log users’ behaviour and access their data without them knowing.
Professor Green warned that the development has ‘enormous implications for user privacy and trust’.
“A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience,” Professor Green from the Johns Hopkins Information Security Institute wrote in his blog.
“From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you.
“It’ll do this without asking, or even explicitly notifying you,” he said.
This means users are unknowingly sending their data to Google if they have the ‘sync’ feature activated, he warned.
According to Professor Green, the barriers between ‘signed in’ and ‘not signed in’ are gradually being eroded away.
This means many of Chrome’s one billion users are mistakenly consenting to their data being accessed as the Chrome sync user interface is confusing.
He believes these changes make a hash out of Google’s own privacy policies.
“In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click.
“This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data,” he said.
A Google spokesperson directed MailOnline to a Twitter post by Chrome engineer Adrienne Porter Felt who explained that users still have to consent to have their data synced.
“I want to share more info about recent changes to Chrome sign-in,” she wrote.
“Chrome desktop now tells you that you’re “signed in” whenever you’re signed in to a Google website.
“This does NOT mean that Chrome is automatically sending your browsing history to your Google account!” she wrote.
She also said that the Chrome privacy notice was being updated ‘ASAP’ to make the syncing option more clear.
Last month a study from Vanderbilt University gave a look at the just how much data Google is harvesting from its users.
Researchers examined how the search giant collects information from Android mobile devices, Chrome browsers, YouTube and Photos, among other Google products.
But the most surprising revelation gleaned from the study is likely to be that Google continues to collect data even when users are browsing in incognito mode.
Google collects data in ‘active’ ways, such as when users sign into an application, as well as ‘passive’ ways that users are less likely to be aware of.
In this scenario, an application is designed to gather information on users when it’s running, sometimes without the user’s knowledge.
“The extent and magnitude of Google’s passive data collection has largely been overlooked by past studies on this topic,” according to the study, which was published last month.
Most people assume that their browsing history is hidden from Google when they use incognito mode.
However, the study explains that Google can still link the data from incognito browsers to a specific user.
That’s because if a user logs into a Google account while a private browser is open, cookies left behind on the incognito window can identify them.
If they close out of the incognito window before logging into a Google account, then the data will be erased.
“While such data is collected with user-anonymous identifiers, Google has the ability to connect this collected information with a user’s personal credentials stored in their Google Account,” the study says.
What’s more, even if you avoid using Google services on an iOS device, the firm can still collect data on users.
Visits to non-Google webpages still registered a ‘surprisingly high’ number of communications with Google servers.
“The number of times such Google services are called from an iOS device is similar to an Android device,” the study noted.
“In this experiment, the total magnitude of data communicated to Google servers from an iOS device is found to be approximately half of that from the Android device.”
Researchers were most concerned by the amount of ‘passive’ data collected via third-party networks and advertisers that aren’t owned by Google.
“Google learns a great deal about a user’s personal interests’ during a day of typical phone use – things like their location, routes taken, items purchased and music listened to,” the study explained.