Google and Privacy - Collection of articles and discussion

Freedom Privacy
, , ,
1

Note: I have renamed this topic to be a collection of all privacy-related worries surrounding Google.

Recent changes to Google Chrome cause huge uproar in tech community!

With the release of Chrome version 69, Google has introduced some changes - without announcing them - that have caused a huge outrage on HN (Hacker News, the small, high-quality social netwerk for Silicon Valley and techies around the world), because they have serious privacy implications.

The outrage started with publication on HN of Tell HN: Using Gmail? You will be force logged into Chrome which was followed by this article:

The subsequent HN comment thread contains more than 800 comments discussing the changes.

It basically boils down to this (Note that I am paraphrasing from the article, written by Matthew Green):

“Chrome has fundamentally changed the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet.)”

The change has serious implications for privacy and trust

"Google states that while Chrome will now log you into your Google account without your consent (following a Gmail login), Chrome will not activate the “sync” feature that sends your data to Google. [note: when ‘sync’ is turned on, a different privacy policy applies, allowing Google to collect more of your data]."

[The problems with this change are:]

  • User consent matters
  • The Chrome sync UI is a dark pattern
  • Big brother doesn’t need to actually watch you [the change will lead to self-censorship]
  • There are privacy implications even if sync is off
  • Chrome privacy policy has 2 modes, but Chrome now decides which mode you are in

As a result the techies make plans to ditch Chrome en masse. The tech community is also speculating about the reasons for this change. Multiple options are discussed:

  • The Chrome team honestly wanted to improve the user experience (UX) to avoid confusion in prior browser version with logging into the browser vs. your Google (cloud-based) account, and didn’t realise the implications

  • Google is acting as the monopolist similar to how Microsoft dealt with Internet Explorer in the past

    • Google doesn’t mind losing some small percentage of tech-savvy users, because the majority of its user base doesn’t care about privacy and won’t even notice the change
    • In addition losing users who switch to other browsers will help Google make the case that they are not a monopolist
    • Lots of discussion on whether Google has become ‘evil’, or not (I leave you to your opinion on this)

Whatever the real reasons, Google has lost a lot of love in the tech community and this will have an impact. Furthermore the change may be a good case for a GDPR lawsuit:

Which is also discussed broadly on Hacker News.

And then there are the discussion on how to mitigate these changes, or choose the best alternatives to Google Chrome:

Technical solutions:

Personally I am a very happy Firefox user for some time, so I read this from a distance, but I found it important to let you all know about these changes. Make up your own mind whether or not you’ll continue to use Chrome and Gmail in the future :slight_smile:

Edit: The sage continues: Chrome 69 will keep Google Cookies when you tell it to delete all cookies and also does not seem to clear localStorage where tracker data often resides.

2 Likes
2

This is very disturbing.

Our university uses Google for its email, calendar, and drive. I have just deleted Chrome from my home laptop, so if I try to log in to my university email, what will happen? Will I be unable to, or will Chrome automatically download to my laptop?

Wired’s article on this development.

An update to what I wrote above: I’ve just discovered that Gmail will not only provide pre-fabricated responses to messages but will also add text to what I am typing!

2 Likes
3

@aschrijver thanks for posting this! My question is… How do we inform mainstream people about this? Is the fabric of journalism damaged by datamining? I mean… why wouldnt journalists be moving on issues like this? Dataminjbg may be propping up journalism financially in a serious way- so why would they expose these issues?

I think the truth should be made available to the public- and the news media has a moral responsibility to expose our privacy issues we face.

You might start a blog @aschrijver for lay people- 4th grader level reading to expose the truth. Just a thought but maybe we can start a group blog which would have lots of exposure. It would be helpful for more people, not just here on CHT to hear your info on privacy issues- just a thought to digest.

4

Thank you @patm! The Wired article gives a clearer summary of the changes and why they are bad. Also note that the article has an update, because Google - as a result of the backlash from the tech community - has hastily decided to make some changes, and added an opt-out for the new feature. Furthermore, when clearing cookies the Google ones are also cleared and you are automatically logged out of you account (you can login again immediately afterwards).

Note that this is only a bandage, and does not solve the underlying issue that Chrome and other Google software + services cannot be fully trusted. With each and every release the users should beware new and creeping changes that invade people’s privacy. Their software serves Google, you remain the product, and they earn their money from your personal information.

The Google blog post that announces these changes is being discussed on Hacker News with interesting comments. What’s clear is that the whole issue was the final drop in the basket that has caused a permanent breach of trust in the tech community, and I expect the backlash to continue.

@patm, Chrome will probably not automatically install itself on your laptop, but by being forced to use it at work you continue to be leeched of personal information. I think professional use of Google products within companies warrants a separate topic.

Thank you @healthyswimmer! I think you can conclude that, yes, journalism is damaged by the rise of social media tech giants. It is a different issue than the topic of this thread, but very much a Humane Tech issue. What traditional media companies and journalists are facing is that paper media are dissapearing, ad revenue here is drying up. At the same time tech giants like Facebook and Google (with their search) have become primary channels to many people for consumption of news. Budgets for producing good (investigative) journalism are slashed continuously. Small media companies can no longer sustain themselves, and are either gobbled up by big conglomerates, or go bust. Real news is increasingly coming from a small number of sources, like Reuters, AP, etc. which are just copied.

Your idea about blogging in layman’s terms is a good one. I think we discussed similar ideas before. However, I do not think a blog is the right way to go. It should be more like a Wikipedia, or a ledger if you will, where all these things are recorded and easily accessible. With a blog the interesting articles over time fall down too far the list, and attention is lost.

So here we have yet another idea for a Humane Tech project :smile:

2 Likes
5

@aschrijver I see what you are saying- I mean the mainstream channel of journalism is not being used for the purpose of communicating why privacy issues are a problem. Most people don’t understand why the chrome privacy issue is a problem. I totally see why a blog wouldn’t work with the way topics get stuffed down in the list.

6

More follow-up and fallout on the Google changes:

Now trending on Hacker News: https://news.ycombinator.com/item?id=18129391

7

This appeared in The Verge in July 2018:

“Third-party app developers can read the emails of millions of Gmail users, a report from The Wall Street Journal highlighted today. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. And while those apps do need to receive user consent, the consent form isn’t exactly clear that it would allow humans — and not just computers — to read your emails.” (source: The Verge)

1 Like
8

Reading this is highly informative. There are many forms of abuse we can’t just imagine without visiting forums such as this one.

All the more pressing to alert the general public (of which only an incredibly small fraction will ever visit these pages) on how far Google has fallen from its “Do No Evil” motto.

1 Like
9

Using VPN and Firefox now. Not into Tor yet, as that would immediately flag me as a person of interest. Moving away from Gmail for all sensitive stuff to end-to-end encryption services. NSA can still hack me, but that “sensitive” stuff is pretty innocent. Ditching Whatsapp for Signal.

People on HN were making the valid point that if only people who have serious matters to hide resorted to taking such precautions, then there would not be much point anyway. Conclusion: all of us should take such measures.

10

Also learnt about the privacy-friendly search engine duckduckgo.com on Hacker News. Thanks @aschrijver for the links to very interesting reads on HN.

11

What’s with your Android phone always asking if you want to save a password with Google for any app or website?

We have so many passwords, the temptation is great to just save them with Google. So gross.

12

Per your question regarding android phones, read a series of articles I’m writing for the Epoch Times to learn more about civil liberty, privacy, cyber security, safety and tech product user exploitation threats associated with smartphones supported by the android OS, Apple iOS and MS Windows OS:

Surveillance Capitalism- Monetizing the Smartphone User: https://www.theepochtimes.com/surveillance-capitalism-monetizing-the-smartphone-user_2686194.html

Legal Malware (Apps)- How Tech Giants Collect Your Personal and Professional Info: https://www.theepochtimes.com/legal-malware-apps-how-tech-giants-collect-personal-and-professional-info_2688724.html

When Smartphone Terms of Use Turn into Cyber-Enslavement Agreements: https://www.theepochtimes.com/when-smartphone-terms-of-use-become-cyber-enslavement-agreements_2693809.html

Once you read the articles you will be unplugged from the Silicon Valley Matrix:

the%20Matrix%20Has%20You%2005
the Matrix Has You 05.png624×599 146 KB

13

Looking at permissions for Google Play Services. Basically, all permissions are granted by default.

I disabled nearly every one of them, and starting to see notifications that such and such app cannot work properly with a particular permission being disabled.

What the heck? I just ignore. Apparently, my Samsung contacts app doesn’t work if I don’t allow Google to access my contacts. That doesn’t make any sense.

And my regular Samsung SMS app apparently needs access to the microphone, otherwise will not work. Yeah, sure!

At the end of the day, Android is open source, but Google Play Services is proprietary (fantastic, right?), so you’re left to wonder what this all means. Any insider with some insights, please enlighten us.

14

Some more recent changes in Google practices:

Javascript is now required to sign into Google

The most privacy- and security-aware people do disable Javascript when browsing the web, because of its power and potential to cause security breaches - even though most websites are then broken, do not display as they should.

But Google has made a change that requires you to have JS enabled when you sign in to their services, e.g. to access your Gmail. It is for security reasons, and there is good and bad in the change. It would make it more secure, but with the downside of allowing Google to track your login behavior across the internet in more detail.

Here is the announcement:

And here is the corresponding Hacker News discussion: JavaScript is now required to sign in to Google | Hacker News

New version of reCAPTCHA (v3) introduced

Another feature that has good and bad side-effects. Google introduced reCAPTCHA v3, the technology to fend off bots and automatic scripts from your site, in the login screen (“Please prove you are human”).
In version 1 you had to type in garbled text, in version 2 there were the images to select (“Please select all images with cars in them”), and BTW by using it, you were also training Google AI’s in image recognition, for free (well, in exchange for using their service).

In v3 the experience has become seamless, and you do not necessarily notice the reCAPTCHA process, unless you are determined to be ‘suspicious’ of being a bot:

Now with reCAPTCHA v3, we are fundamentally changing how sites can test for human vs. bot activities by returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. reCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.

The negative aspects of this technology are:

  • Well, obviously, more tracking and user data collection of your internet behavior (and potentially even measuring your cognitive skills in text/image recognition)
  • Google seems to abuse this feature to get more people to use Chrome browser, making the challenges harder on other browsers, or not even working on older browsers

The announcement is here:

And the corresponding Hacker News discussion is here: Recaptcha v3: new way to stop bots | Hacker News

Re @anon51879794 : Android permissions and Google Play.

Permission system is too course-grained and app developers make thankful use of that. I mentioned that before, here.

Samsung itself is an especially egregious privacy invader. All their apps - that you cannot uninstall and often not even disable - contain stuff that connects to the internet and send over unknown data, and their apps also contain hidden advertising. I found that out when GDPR regulation kicked in, in Europe: Privacy issues surrounding your smartphone - #2 by aschrijver

Android being open-source is a bit of a misnomer. The OS that is on your phone is crammed full of proprietary Google and Samsung codes to operate well. In any Android OS - even if you compile it yourself - proprietary closed-source stuff is dragged in. That is why e.foundation and others are developing fully OSS alternatives.

The Google Play service is another thing where Google abuses its monopoly position. It is always-on and tracking you. And they have control which apps are in it, and how easy they are for you to find them. You can’t remove Google Play, but you can install an alternative to Google Play, called FDroid - a crowd-sourced appstore that only offers free and open-source (FOSS) apps. Even then, before installing it helps doing a bit a due-dilligence to see how trustworthy an app is.

A problem with Apps in the Play store is, that there are now companies whose business is to buy software from their original owner, then create a new version, which is automatically updated on your phone if you have the app. This new version can now contain arbitrary malware and tracking software.

More info on Samsung and others privacy invasions, read here

1 Like
15

Hi @aschrijver

Here I was talking about Google Play Services (the system app), not Google Play - the app store. Seems to me that manufacturers such as Samsung exploit GPS’ extensive permissions to do whatever they want with your phone.

Case in point: they don’t ask for permissions, but if you turn off GPS’ permissions, they no longer function.

16

Ah yes. I don’t know the nitty gritty details, but it probably provides serves for auto-updating your app. Usually every permission that an app has can be explained as required by one of their features (your SMS may be able to send media, i.e. recorded messages), but when they are granted, they implicitly allow many other uses at the same time.

Some free apps though, are really abusing permissions, like a free flashlight app, that contains thousands of trackers. A way to check if there are trackers in an app was presented by @valere, who also created an app for that. See: Exodus Privacy / behaviors which can be dangerous for user privacy

17

The way I see it, some apps from the manufacturer can’t work if you don’t give Google Play Services full permissions, and some of these permissions have nothing to do with those apps’ purposes.

18

More on the subject

Google Just Gave Millions Of Users A Reason To Quit Chrome

1 Like