Hacker News new | comments | show | ask | jobs | submit login
Am I logged in or not? GDPR case study on the example of Chrome browser change (lukaszolejnik.com)
681 points by krahmakt 27 days ago | hide | past | web | favorite | 485 comments

I don't understand why the Chrome team is picking this hill to die on- their team (managers and developers) are all over twitter and reddit trying to explain the privacy violations away as if the people upset about this are just not understanding what's going on.

I really expect this change to push a lot of people away from Chrome, and frankly I wouldn't be surprised if it started opening up more antitrust possibilities due to how they're using their browser to give their services special functionality others can't get.

It's about privacy and also about taking away functionality that worked all these years for me. At work we use Google Apps and I sign in as with my work address for Gmail, Calendar, Docs, Drive, etc. and am used to one click access to all these apps. But I like to sync my bookmarks, extensions and settings to my personal account - and that's it - I don't want to sign in to my personal Gmail, Docs, Drive in the browser. The new Chrome not only forces me to, but it now makes my personal account the primary one (/u/0 for Gmail) and forces me to go through several clicks for other apps to change accounts. And they didn't even ask before pushing this - one fine day Chrome auto updated and forced this feature on me and it took several days and a lot of signing out/in deleting cookies, posting on groups, etc. to figure out the flags workaround.

I know the following is not welcome on HN, but I have to vent somewhere folks that think this was a good idea are reading, so here it is: A big fuck you to Chrome for forcing this feature on us!

Firefox with the "Multi-Account Containers" add-on is pretty great for managing multiple identities. Browser tabs get labels (with color-coded stripes) for which container they belong to.

I can ignore identity switchers provided by a site (google in this case) and just keep two gmail tabs, one for personal and one for work, open right next to one another. Firefox keeps each one sandboxed with its own session info like cookies etc.

Just. use. Firefox.

I'll never understand this hesitation to Firefox, some people will bring out why Firefox is evil yet Chrome is clearly not the lesser evil product. I started using Chrome when it first came out, and then I stopped using it when it didn't have adblocking. Then when it did have adblocking it was extremely limited (I kept seeing popups and other nuisances), this was when I got dispelled then about Google being an ad focused company and never went back. I only use Chrome / Chromium (on Linux) to test web dev projects across major browsers, and sometimes Stack Overflow if I'm testing on Chrome might as well, but it's nothing all that special.

My main browsing has always been done on Firefox which has sync much like Chrome does, but oh look it's encrypted, forgot my password? Too bad, they're going to nuke my data since they don't even know my password. As it should be. My browsing data being synched is cool but it's not that precious to me, and if it was I would just not forget my password.

Also if I need to use Google services I have a Google container, if I need to use Firefox, I have a Firefox container. Good luck containing Google or Firefox on Chrome that way, and the multiple account containers are amazing for testing multiple user roles on web development projects all on one browser with multiple taps opened.

> I'll never understand this hesitation to Firefox

In my case, I don‘t switch to Firefox because they don’t support AppleScript and it’s a feature I use every day.

Less than an hour ago, on another HN thread, I saw another macOS user claiming they won’t switch to Firefox because it doesn’t support Keychain.

Every time there’s this conversation, I see a bunch of macOS users complaining about performance.

In sum, a bunch of users (particularly macOS users) don’t switch to Firefox because it plain sucks for their needs.

Be sure to turn off telemetry. Also, the other elements that can send browsing data to google, which are fortunately customizable in firefox.

People get set in their ways. We're not all web developers.

Not sure if this is a solution for you but you can have multiple Google account sessions in separate Chrome user sessions by clicking your user icon at the top then selecting to add people.

It becomes a game of “guess what user I’ll be logged in the next new window ?”

Chrome also doesn’t respect window order in the menu, so it’s just a pain to track when switching. My solution to that was to switch to Safari for personal use.

I have like 3 accounts added and it always used default account

What's a default account?

I had been using Chrome only for G Suite stuff (forced by my employer to maintain this account) and FF for everything else. This change resulted in the deletion of Chrome from my computer and a move to FF with Multi Account Containers set to segregate various services from each other.

I'm half thankful for the Chrome team doing this because it was just the push I needed to finally rid myself of Chrome once and for all.

I plan to do a clean re-install of the OS on my Mac as well to ensure that all vestiges of Google Chrome are indeed gone. I also took the opportunity to rid myself of Google Drive File Stream.

FF with Multi Account Containers is heaven

FF itself since Quantum has been heaven for me personally.

I've always used FF and Chrome, flipping back and forth as Chrome filled in where FF had issues and vice versa, but after a week or 2 on Quantum I just didn't need Chrome anymore and uninstalled it. Haven't regretted it once.

If you have to deal withtheir web apps like me, please also report performance problems loud and clear when they affect non-Chrome browsers.

The only thing that doesn't work for me at work with Firefox is some parts of our Google-powered meeting rooms. I can do videoconferencing just fine in Firefox, but I can't do screen sharing, even though Firefox seems to think screen sharing is enabled and working, only a black screen goes to the meeting room's projector.

Hopefully that'll be fixed soon...

I realise this is a low effort comment but...this username and this comment made me laugh and cry.

(also, I'm 90% FF now too)

It is. One feature I'd like to see added is a separate history for every container.

Currently the global history is shared between all containers.

This has been the one thing I've wanted since it was announced. It would make it a really powerful concept and maybe more plugins supporting container specifics. Like disabling / enabling features depending on the container you're under. I know some do, but if more did it would be amazing.

+1 for this.

It would be if I could restrict a container to a certain domain[1]. However, as it functions now, my containers are easily polluted.

[1] https://github.com/mozilla/multi-account-containers/issues/8...

I wish Mozilla would give some kind of guarantee that they won't drop the feature, otherwise I don't feel like investing time into building a workflow around it is worthwhile. And it's sad that this is even an issue.

We automated a process with RPA for a piece of software that was being replaced 6 months later.

You could look at it as silly, but in those 6 months it saved around 700 work hours after it had paid for its dev time.

Sure, that makes sense for your business, because it saved money. For me, personally, I don't want spend time getting used to software that is likely to be taken away from me (i.e. forced obsolescence). That is a very frustrating experience. I'd rather use and build on software that I know is going to remain usable for a long time.

so you can be logged into 2 google accounts at the same time? two facebook accounts? two twitter accounts? IIRC multi-account containers work by domain name so they don't handle this case. Multiple profiles do, something which Chrome handles well and Firefox handles poorly

Yes, you can. It's not as smooth as could be, but I am continuously logged into three separate Google accounts (one vanilla Gmail, two for separate G Suite businesses), and it works fine.

Each container can load any page. If you want to toggle the current domain to load in the current container, you can opt for that. Then, it will prompt you to switch to that container when you browse to that domain, and at that point you can opt to make it automatic. If you don't make it completely automatic, you can just choose to use the default container for that domain, or stick with the current container (or source container, if opening a new tab from some other container).

What would make this better would be to be able to flag a domain as openable in multiple containers, but have one be default, so I wouldn't have to decline switching to my personal Google container every time I clicked a link on an email in one of the G Suite accounts, as they redirect to a google landing page).

I work at Google; opinions are my own.

> I don't understand why the Chrome team is picking this hill to die on- their team (managers and developers) are all over twitter and reddit trying to explain the privacy violations away as if the people upset about this are just not understanding what's going on.

My impression is that this is the new norm at Google. It happens with everything, internal or external. The sad reality is that most decisions will deeply upset at least some people, and those people likely don't have the context into the decisions but still complain loudly.

From my perspective what happens is that it doesn't matter whether a decision was a good or bad one, there will be people who complain (ESPECIALLY internally as Googlers can be very entitled) and so at some point you're just completely immune to this.

This is not helped by the fact that people externally often think Google is on some evil plan and speculate in wild ways which are completely wrong.

To give you an idea of how these things usually happen.. it goes something like this..

Someone finds a UX problem, and makes a plan to fix it. In this case I guess it's confusion among signed on accounts. Someone on the team probably raises some concerns, likely similar if not the exact ones being raised now, and they debate it but eventually they say well, the proportion of people who seem to care about this is only 0.1% of users (Because we are objective!).

Sadly, even though it's "only" 0.1% of users, those users are extremely negatively impacted in a way that's not really reflected by the small percentage, and 0.1% of a billion is still a considerable amount.

On the other hand, there are many other decisions which were released just fine and we would not be able to do anything if we were always afraid of negatively impacting some small proportion of users. To me this is a weakness of the attempt to have everything be objective and "measurable".

Let me state that I don't think this is good or even acceptable, but I'm definitely not smart enough to know how to solve this on a wider scale than my immediate team. However I hope this at least provides some insight into why these kinds of thing happen.

'0.1% of a billion is still a considerable amount' is a very important observation, and one my colleagues at Google (before I left) rarely seemed to grasp. People think they can get away with a lot of cutting corners or lack of rigor in their engineering and design when mistakes can impact millions of people... our industry really isn't prepared for deploying products at this scale.

>...people externally often think Google is on some evil plan...

The real bad guys don't ever think they are evil. (consider Al Capone, hero of the people)

> >...people externally often think Google is on some evil plan...

> The real bad guys don't ever think they are evil.

At least seen from the inside, it's often funny (and sad) to see all kinds of crazy speculation about the greater evil goal of nefarious decisions made, all the while whatever is happening is usually a mixture of software bugs and incompetence on our side.

It's like a clown show, where the evil mastermind turns out to just be me incorrectly checking for a null value in some if condition, or my PM having no idea how to rationalize two features together.

I guess that comes with large corporation status, and a certain failure to communicate. Not sure if it's avoidable at all. It does teach you something about perception vs intent, I guess.

Yes. Acting evil is what makes you evil.

Then again, maybe we shouldn't be throwing around words like "evil", which we all know is hyperbole (even if invited hyperbole because of Google's own prior statements). Someone talks about Google being evil, and then other people push back because it's not really "evil", and they are both right, so neither ever gives an inch.

Sure, there's less impact when statements are less hyperbolic, but there's also less bikeshedding about the problem, so maybe something actually happens in the end.

You said it yourself, Google’s raison d’etre in some ways into these markets was that they were not evil anticompetetive Microsoft. Today, they very much are. Arguably they were always this way, but dark patterns like this is a new low.

And no you don’t need to be North Korea to be evil. That is a meaningless comparison. Coincidentally Google has started working with regimes similar to NK; The PRC. Is that not evil?

> Coincidentally Google has started working with regimes similar to NK; The PRC. Is that not evil?

No, it's not, because evil is a negative ideal, but I don't think it actually exists in reality.

Even Hitler wasn't evil, he was insane, and the whole situation is a case study of what happens when people, regular people, are given an easy explanation for all their problems. Placing something in the category of "evil" is placing it apart from behavior that you expect normal people to be capable of, since I think most people thing the majority aren't evil. All that does is help us feel better at the expense of helping us be better.

Evil is for fairy tales, where things are black and white. Normal people rightly get defensive when called such, because the road to hell actually is paved with good intentions. Hyperbole isn't a useful way to communicate.

Sorry to go full Godwins on this, but if you can't pull out Hitler and Nazi's when talking about evil (even to counter the point), then when can you...

You just implied that Hitler was insane, a slang and disrespectful word for mentally ill people.

I can’t even start to consider that it’s an appropriate analogy so Godwin point is dully granted.

PS: If it please your mind regexp replace "evil" by "ill intentioned" in Google related threads. But don’t forget that it’s Google that originated this terminology in the first place with their moto "Don’t be evil"...

Evil sort of loses it’s meaning when it’s thrown a google in a world where Pennsylvania just banned books that aren’t sold through their systems from prisons, where ICE kills children in concentration camps, and that’s talking domestic issues only.

I mean, if google is evil then what do you call North Korea? Super duper evil?

I was just referring to Google's own phrase: "Don't be evil."

Google is evil in the same way now, that Microsoft was back in the day.

Tellingly, it was changed to "Do the right thing." after the alphabet split.

I'm glad you're here talking. This is hard to navigate as an employee. A company as large as Google must make it nearly impossible to anticipate every downstream effect it may have on seemingly unrelated areas of the business.

As an example in this case, I am an IT decision maker for a small group of people, I'm not that active on social media as a contributor, and losing an Apps subscription because of a browser auth decision could be one of those impacts. Its likely not, but if it were it would be impossible to understand in the aggregate, and of infinitesimal impact.

Be that as it may, user PII is now on the liability side of the ledger, and some businesses just haven't adapted to start operating like that is reality. Beyond financial hazard, the moral harm of a leak, the risk of telling the secrets of millions to the world (or a dangerous few) should be of grave concern. The best way to be trustworthy is to not know the secrets in the first place.

Bulk data collection doesn't affect 0.1% of users, that is the only group of people that understand enough to be concerned about. It affects everybody who signed up as a user. Their secrets and their safety are now in your hands.

This IS an engineering problem. I have full faith that with the right will, Google could figure out a way to offer web scale services to all manner of users and still deliver on its ambitions to deliver intelligent experiences with provable privacy at the heart of it. It probably involves data living at the edge; it probably involves renting datums from customers; it definitely involves a radical shift in business models.

Engineering a solution to a privacy-at-scale repository of human knowledge cannot happen without leadership that truly sees privacy as profit, at every level of the company.

I think that any decision, which impacts user privacy in any way, shape or form should be especially carefully vetted.

Unfortunately, and with a long list of "accidental" blunders Google is long beyond the point of deniable plausability.

I’m very sympathetic to your situation, delivering software that’s this popular can’t be easy however in this case it’s really not that hard ...

When I’m doubt, Google should err on the side of privacy.

That’s the safe way to go. And in this case you can clearly see that some people will freak out if their browser syncs their history to the wrong identity or that it syncs at all.

As you probably know, Google does have quite clear policies on the matter.[0]

You and your colleagues could raise that these are there for a reason, approved by senior management, and there to help you respect your users' rights.

I like the sound of "Applications that affect or change your user experience should make clear they are the reason for those changes." or "It should be clear to you when you are installing or enabling software on your computer and you should have the ability to say no." or "We believe you should be asked explicitly for your permission in a manner that is obvious and clearly states what information will be collected or transmitted."

All of these sound relevant to the grievance of the OP.

[0]: https://www.google.com/intl/en/about/software-principles.htm...

Thanks for that insight, it makes sense.

Big corporations usually pick some good rule of thumb (use data based decisions) and pervert it until it's a blind rule.

Now I can see some understand some of Google bad decisions, sentiment and grudges aren't easy to measure. I can find some aspect of a google product annoying but not bother me much. Still, annoying thinks add up and most users, like 99,9% users don't write complains publicly so they can't never tell. It's also harder to account for network effects like the family geek stop caring about chrome and moved the whole family and friends to firefox.

An estimated negative impact in 0,1% can really mean last push for 1% of users. Add several episodes like this and you can destroy a company.

Use checkboxes?

When you have a checkbox for every possible customisation option, you end up with a commercial airliner cockpit - hundreds of flashing lights and switches, that you need a comprehensive manual and years of experience to properly operate.

Or you end up with `about:config`. Doesn't solve the impossible to comprehend everything problem, but it still gives people to option.

And then you end up with people complaining about bloat because the browser contains code for every possible state of all these settings.

It's clearly not the case when the checkbox you adding is an option to turn off some feature enabled by default.

No, not the feature all other components do need so much you have to work around by adding another zillion lines of code in other places of your program to deal with the case it turned off.

Spoken like a true modern ux designer ;-)

I won't say you cannot make toys but I'd be happy if ux designers everywhere could take a break and stop dumbing down working applications, thanks.

PS: they don't need to be flashing.

> PS: they don't need to be flashing.

In fact, in modern aircraft, they're not flashing. The trend today is to not light a light unless it's important to pay attention to it. It's called "dark cockpit".

Windows have a registry, Firefox - about:config, Linux - kconfig and sysfs. You don't need to make it Boeing way, but you need it.

Airplane control are complex and require training for many valid reasons. The cluster is actually a great study in UX design.

Also, it's Boeing or I'm not going.

> The cluster is actually a great study in UX design.

Agreed. But it's UX design for power users clearly.

But I was talking about the way to combine 'a regular users UX' with a ton of options you need for power users. The vast majority of the people who have Ubuntu on their laptops never recompile the kernel or even know about sysfs, the vast majority of the Windows and Office users never touch the registry editor - but removing them would be a huge mistake.


So make an advanced options screen divided into categories.

It's not hard.

And you don't have to do every possible customisation options, just the ones that people are enraged about.

This is hard to do as an afterthought. I bet Firefox had it from the start.

I wonder if we’re not already at this point though, and it might not be a bad thing.

Not everyone uses a browser the same, but a decent part of people here will spend their working life in the browser. I think for people here it won’t be rare to have dozen of windows with each dozen of tabs, some logged in different acconts within the site they show, some in incognito, some with in developer mode.

Even with just the browser filling multiple windows worth of buttons and stuff to interact with is easy, without even going to hidden preferences and configs.

I’d argue in complexity level we’re already on par with a airliner cockpit, it’s our job to deal with that, and we do it professionaly for years. Of course not everyone needs that complexity, but at least we do.

What I am getting at is, I think we should accept we’re not a t the point where it is simple anymore, embrace the complexity and give tools to effectively manage it.

Airliner cockpit are so because it’s efficient to have individual switches to important action and state indicators. We shouldn’t shy away from showing important info in the interface just because we’d end up with more stuff. Having it hidden can be a worse tradeoff.

The problem is that you're in the 0.001% of people who want their software complicated like an airline cockpit.

Most people don't give a shit, they just want to check their gmail and couldn't care less. They don't even read the alert boxes that do pop up. They just click almost anything blindly.

As a result, companies get away with dark patterns and privacy-compromising changes like this.

I'm somewhere in the middle. I don't want airline-cockpit controls, but I do want the ability to not sync to the cloud/NSA if I want.

I also don't want to be tricked into syncing by some dark pattern silent update that makes an ambiguous clickbox that doesn't clearly say what the privacy implications are either.

Yes, I think the middle ground will be the majority. All the more so actual “casual” users that want stuff that “just work” will use their phone or tablet, or the default browser already installed and is good enough.

Chromebooks are in an interesting position, with a chance to have newer users. But then they will literally live their life in the browser.

In that sense, Chrome users are already set apart I think.

I'm convinced that most users would prefer having zero options or checkboxes.

Yes, they would prefer the software to always be perfectly tuned to them, even as they change their own... preferences.

that's a huge silly fallacy.

if you are operating something as complex and dangerous, you need the Comercial airliner cockpit! it's that way for a reason! or would you rather board a 747 with a huge colorful button "fly" and another "land"?

if you have something like a browser, that is your last line of defense accessing online banking etc, you need to see into the miriad of options. if you just browse facebook, use the default and be happy. Knowing about:config shouldn't be a gate keeper to anything! going to settings then advanced should be more than enough to communicate the concept of advanced options. anything different you are just being an entitled , incompetent UX designer.

about:config is lazy, but get some of the job done. your oh-so-perfect two options google chrome setting page, is lazy and useless.

Oh man, this always Madden's me when a company takes away some option in the name of simplifying for the majority of users.

Put it on a screen called advanced options or something, even about:config, and let us decide!

That is, if you're really not just manipulating your users.

I mean, this _is_ on the advanced options screen. It's in chrome://flags/#account-consistency

So it is

But will it be there forever?

Some other post on HN on this topic implied these options tend to vanish over time. (I'm not sure if they so or don't)

That 0.1% doesn't take into account hours spent using the actual app. Power users tend to spend all day in a browser whereas a typical grandma might look at it for 15 minutes and close it. Meanwhile people who have multiple Google accounts and who spend literally all day in the browser are the ones that get the short end of the stick? That makes zero sense and it's why people are starting to hate Google just like any other corporation that makes decisions by committee. There should have been a product owner on the browser team that said "No this is a browser. Not an extension of GSuite."

The total indifference to people's valid use cases is what really grinds my gears.

Chrome is still the only browser that ruins my UX by putting a profile picker into the title bar. A place it has no business being. I literally made a patch and compiled my own version of Chromium for a while to get rid of it. https://github.com/hparadiz/chromium-disable-profile-button-...

I'm so tired of the arrogance. Chrome used to be a beautiful simplistic browser. Now it's just bloat. I'm done. Get off my computer. You guys had your chance and blew it.

If all the power users leave, the app makers do not care. If all the typical grandmas leave, their margins are significantly impacted.

You can figure out the rest.

That’s not a problem or an indictment. Just an observation of how systems work st scale.

How do you think Firefox and Chrome overthrew IE? The power users (us) who set up and fix everyone else's computers spent years telling others why IE is terrible and installed a different browser, and it slowly but surely worked (along with strong developer and media/press support).

That's very short term focused observation though. Power users are influencers. When power users leave - especially being annoyed and angry - they start to actively advise against the product left and right, to the regular users and to other power users.

But that's unfortunately how this works. I think people forget market players can, and are, self-destructive, when short-term profits interfere with long-term survival.

It's also part of the reason for the pace of the industry. You pump out as much money as you can from some space, and then move on to focus on the next thing.

Why would they repeat the Google+ linked accounts nightmare though? I never wanted a fucking chrome account, and linking my business and private accounts is the stupidest thing you idiots could have done.

I never wanted my youtube account tied to my business email.

> the stupidest thing you idiots could have done

Would you please read the site guidelines and follow them when commenting here?


Those guidelines were followed. Given the chance I would say that to their faces.

Between this and https://news.ycombinator.com/item?id=18072106 it seems clear that you don't want to use HN as intended, so I've banned this account.

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.

Or before that, Google Buzz! The opt-out social network which nobody asked for that automatically shared your contacts.

"I don't understand why the Chrome team is picking this hill to die on"

Years of double digit percentage revenue growth sets lofty stockholder expectations.

All the low lying fruit to sustain that trajectory is gone. So, anything (AMP, this, etc) that might boost their targeting ability or impressions is important for them.

This. Google's carrot stick is the privacy yard.

> I don’t understand why the Chrome team is picking this hill to die on

Because they’re not “dying on a hill” at all, because nobody cares. Nobody outside Hacker News and Twitter infosec people only followed by other Twitter infosec people cares about this.

> I really expect this change to push a lot of people away from chrome

Care to bet on that? Because I would happily take the opposite side of that bet. I think the feature will stay and after a few months we will see absolutely no change in Chrome’s usage statistics.

> because nobody cares

A lot of people do not understand, but we do, we're the techies. It's our job to understand.

Don't mistake people not understanding for not caring.

Once people understand, they care.

It's the early adopters who breed the late adopters. If we all stop using Chrome, and thus stop recommending it to our friends/co-workers they will stop using it too. I've personally turned dozens of people away from IE towards Chrome. Now I'll turn dozens of people away from Chrome towards Firefox. Also, I'm also IT and I'm now phasing out Chrome on my company workstations and phasing in Firefox. It will take time as it's low on my list of priorities, but every workstation I touch I'll take the time to scrub free from Chrome and setup FF. There's 30x users right there.

> Don't mistake people not understanding for not caring.

Once people understand, they care.

Conversely, don't mistake people not caring for not understanding. Many people both understand and don't care. Reasonable people can disagree about how their personal data should be monetized.

This can't be overstated. The update did not even mention this feature change, making it even more difficult for non-techies to know something has changed, and what it means.

Yeah, but my parents _understand_ Facebook collects/sells their data. But they don't _care_ enough to stop using Facebook.

They may understand it on a superficial level, but do they understand it on a practical one?

Everyone "understands" that Facebook collects user data. It's the contextual understanding that makes techies uneasy.

What you're saying is a pretty condescending way to treat other people's opinions. You're essentially questioning whether or not they really understand (complete with scare quotes) if they don't share your opinion.

It's not the "contextual understanding" - or any kind of understanding - that makes some techies uneasy. It's their own opinions and personal comfortability with regard to data monetization. Many people understand their data is monetized in myriad ways and fully don't care. Asking if they actually understand is only going to patronize them.

I get where you're coming from, but it applies to me equally in plenty of other domains.

There are countless things I understand the basics of but am not an expert in. That's why we specialize, because we can't be experts in everything all the time.

I don't mean it to be condescending, I mean to express that I can know that stars are powered by nuclear reactions and yet not have a firm grasp of what that really entails.

Most people, including myself, have a shallow understanding of a lot of things, and a deep understanding of very few things relatively speaking.

And yet, given a parallel into what is happening as if it were a different company ‘e.g. would you be fine with our man standing outside your house and observing your every movement as a condition of service’, most of these people that ‘understand’ switch to WTF?! No! If you then ask them to stop using Chrome or Facebook it’s suddenly ‘different’.

The only thing that’s different is that they can remain blissfully unaware of it.

Actually, they are questioning whether understanding makes sense, given people are unaware, uninformed.

The answer on all that is advocacy.

They may still not care, and that is fine. At least it is with eyes wide open.

Professionals do that sort of thing. It is consideration, not condescension.

I mean I'm a "techie" and I think I understand. I still don't care..

Didn't say you had to...

Earlier comment said "Once people understand, they care."

Your comment basically implied "maybe they don't really understand which is why they don't care".

So I am refuting the original statement because I presumably do understand, and I still don't care.

It seems he's employed by Google

What does that have to do with my opinion about not being concerned about my Facebook use..?

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

I started using FB well before I joined Google =]

Most people incorrectly think along the lines of "they have all my data already, so there's nothing I can do." Most probably also believe that many of the things that are going on are illegal and that someone is watching out for their interests. If they really understood the consequences of the data collection on a deeper level, most people wouldn't agree to it.

I can confirm: there are a lot of things that friends, coworkers, and family all think are illegal and yet when I tell them to call law enforcement, they then ask "but who do I call?" followed by "I can't afford to hire a lawyer"

They know what's happening is wrong. They don't know how to stop it. But they do still need to browse the web.

I understand, and I don't care.

I'm typically out of touch with normal people so I'm probably proving your point, but this has pushed me off chrome and Google.

Ive always loved google. Installed chrome when it was released. I'm writing this from a pixel 2 XL because I broke my pixel 1 XL. I've had a Gmail account almost since it's been possible (I have my firstnamelastname@gmail.com). I now use firefox. I don't know what mail I'll switch to, and I can't bring myself to an iPhone, but I'm leaving.

Google's increasing anti-user posture is enough, personified by the removal of their slogan "don't be evil". Legal move though it surely was, it's all too fitting.

Goodbye Google - you broke my heart.

I respect your feelings, but with respect to one of the factual details you listed: the "don't be evil" slogan never got removed from Google's Code of Conduct.

That document has been reworded and the slogan is now at the end, but it's been there continuously. While I agree it's more of a passing mention than in the old wording, the end is one of the most prominent placements possible for such a statement other than the beginning.

The common Internet belief that they removed this came from the Code of Conduct of Google's new parent company Alphabet, which says "Do the right thing" instead, combined with the subsequent rewording. But Google's still applies to Google as well.

Oh thank you!

I'm thoroughly embarrassed to have regurgitated internet gossip without reading the source material.

However, as you mentioned, I stand by my sentiment. Google has clearly telegraphed their desire to put making money over users privacy and security (my definition of security being safe from Google, whereas Google's is safe from everyone BUT google)

To attack this issue from Google's side, the targeted ads I receive are straight garbage. The ads I get on my Google YouTube account from my signed in chrome Google account on my signed in Google phone are not in the least bit relevant to me or my interests. I don't use ad blockers of any kind. If I have to watch the ad about Dr. Gunter zolof solving Carmichael's toshent conjecture one more time, my phone might suffer an "accident" and I will take that opportunity to switch to a different provider (ANGRY SIDE RANT: I haven't watched that ad to completion or clicked on it a _single_ time. Stop showing it to me. 50 times. Consecutively)

> I don't know what mail I'll switch to

Hop on https://www.gandi.net/, choose a domain name that looks professional (such as mylastname.me or some other clever variation) and never have to ask that question again.

If you ever want to go back to gmail, bring in your domain with gsuite (https://gsuite.google.com/).

As for an alternative UI&host recommendation, go for fastmail: https://www.fastmail.com/

> personified by the removal of their slogan "don't be evil"

It's always interesting to see how the most technical users seem to take such an irrelevant vague throwaway marketing line so seriously.

It's also still in the code of conduct but now moved to the end so it was never actually removed from anything anyway, if it actually matters.

I had the same mindset as yours perhaps a year or two ago, until I realized a couple of things that completely changed my mind. This is a little off the main topic but you see, when it comes to privacy, we like to think that we have it in our control but in fact we don't. As Snowden has proven, what the NSA is doing is far worse than Google. You just don't know it because it's completely hidden and sealed off from the public. But why do they have to conduct such extreme level of data mining you ask? Well, we are not living in manufacturing age anymore, that was maybe 40-50 years ago, we are living in an information age now. Everybody agrees that information is the new oil or the new currency. For the United States to continue being the leader of the world, it would be absolutely foolish for anyone to think that they don't have a complete and total full control of this key component.

The public needs to start changing their mindsets and begins to accept that all information in your private life is being recorded. The only important aspect that needs to be questioned is to what extend the data is going to be used. Are some companies not going to hire you simply because of something you did in your private life three years ago that they may not agree with? That would be unacceptable to me as it would definitely cross the line. It is what I consider similar to the "social credit" system being implemented in China, in which everyone is under surveillance at all times and given scores for activities such as grocery shopping. There are always two sides of the extremes, and the balance we should strive for is somewhere in the middle.

It's impossible to ask U.S companies like Google not to conduct data mining on their users. How do you expect them to compete with companies in other countries that monitor their users 24/7 and have access to larger and more accurate data? In the age of information and artificial intelligent, those companies will win the battles simply because they will have better insights that Google won't ever have. Companies in the West cannot readily admit what they're doing because the public mindset is not yet ready for this change. It's too drastic and against many values we have been familiar with our entire life. But our world is changing very quickly, it is not the same world as before, it's understandably very difficult for most people to wrap their head around this but we need to update our mindsets even if that means changing our values. Companies like Google cannot disclose what they do because of public backlash they will receive. If people are just going to switch to another company, all their investments will have been lost, and the next company will be forced to do the same anyway. Google's recent move was probably the best way to test out public water, and it is already not looking very good. I don't know if governments from the West will ever be able to crack this issue.

What? I should just ignore Googles harvesting of my data because "everyone does it"? That's ridiculous.

Also, why do companies need to "compete"? There's no reason that core software like internet browsers or operating systems need to be commercial in the first place. I will happily continue using Firefox.

I understand your logic and I fully agree because I was on your side. If there really is a choice nobody would want it to be this way. Unfortunately our current world is not a utopia.

Let me give an example, suppose no countries on earth had nuclear weapons. We all know how deadly and devastating its effects can be to humankind. Let's say initially all nations agreed that it's bad for all of us and nobody should pursue it. However, if ONE country broke the contract and started developing nuclear weapons on their own. Do you think the remaining countries can afford to stay at their same positions and not start developing it too? Once someone starts doing it, all bets are off! You can apply the same logic to any unethical technological experiment, such as cloning human. Google really had no choice, if they don't adapt they will be out of the game within the next 10 years.

please note the announcement of the French 'security OS'


But the tech-savvy community has influence. We set up computers for our friends and families. We write IT policies. We are web developers, tech reporters, and more.

At least for me, Google's behavior means that I can no longer recommend Chrome.

I can't imagine the impact is significant even if we consider two degrees of acquaintances (you tell someone to not use Chrome and they tell someone else).

That would be very depressing if true.

Fortunately it's not. On average people are only about 6 degrees apart, so in reality a relatively small number of people can get a surprisingly large amount of coverage in a frighteningly short amount of time, should they choose to apply themselves.


The world is very small, and privacy is a mainstream concern these days. The impact of one story or one action is limited, but in the end, users do get their say. Otherwise, we would still be using Internet Explorer.

Maybe not in a few months, but things like this are funny. People who were looking for a reason to leave Chrome may use this to justify it, and while it may be a small audience, small audiences can be trendsetters, especially if they are passionate.

Much like the slide from IE and FireFox to Chrome, by the time Mozilla and Microsoft reacted, it was already too late. Time will tell if this is the start of such a momentum flip or if it's just another blip.

Part of Chrome rise to success was, on top of its (at the time) superior performance, the massive marketing from the biggest advertising company in the world.

10+ years ago, techies were the trendsetters in computer technology, because computers were hard to use.

Now computers are easy to use, and the massmarket does not need to rely on techies for guidance, and non -techies can be early adopters. The general public relies on mainstream popular culture / fashion influencers.

I would take a small bet. We're the trend-setters in technology. We're the ones who got everyone on Chrome to begin with. Otherwise they'd still be on IE. If all the tech people abandon Chrome, they will start recommending FF or IE again and discourage Chrome use. The impact is slow, but it is significant.

Yep. Technology evangelists tend also to be early adopters. If they all jump ship, the masses will follow. Slowly, but surely.

See my other comment in response to the parent - I hope neither of you were being sarcastic and that a bet is worked out.

>Because they’re not “dying on a hill” at all, because nobody cares. Nobody outside Hacker News and Twitter infosec people only followed by other Twitter infosec people cares about this.

Ever since I updated to 69 I've been absolutely loving it. The most noticeable improvement is it feeling incredibly faster, but as someone who's been using 4-5 profiles on Chrome for over a year the new user management stuff just feels so much more intuitive/integrated.

I was super surprised to see people complaining about it on HN this morning, and I'm still not entirely sure what the problem is. FWIW, I also severely disagree with a lot of the implementations of GDPR, so maybe I'm just not the audience who cares here. To me, this update has been nothing but improvements so far.

I wrote elsewhere that Chrome 69 marks a big change for the browser world.

Chrome 69 is simply the best. Not for me, but for the average user. The reading and work flow is incredible for casual browsing.

The negative reaction on HN is understandable, but it's not relevant for most people.

The goal of Google is merging the user experience of Android, Chrome, Google search and personal Google accounts into one, and it will get increasingly difficult for users to get out of this ecosystem.

I find this reality highly disturbing, but, as you mention, the average user is impartial if not completely ignorant. I think Google is very clearly exploiting both its monopoly and this end-user ignorance to centralize and control all aspects of the web and user devices. It's not far-fetched to consider that soon there will be no OS on the PC, but rather just Chrome as an interface to everything Google and the web. And so controversy like this is momentary and seen only in a vocal minority, quickly forgotten. Just a couple months ago, Chrome was found to be scanning user files for malware - this was quickly forgotten, probably even by the very same vocal people discussing Chrome on HN today. At this point, it's almost faux outrage.

Once upon a time "nobody cared" that IE was trash either, now look what's happened - and that was preinstalled on the OS.

A lot more "lay users" will care when random sites they visit start picking up their Google identity and showing it in the web page, all because the user signed into the browser. This is what it looks like: https://imgur.com/a/nFvxI0U

Assuming this isn't fixed, the ick factor of being in-your-face followed across the web will be quite strong, I think.

Just a small meta-point that betting is a great way for both sides of a debate to tone down rhetoric, engage in dialogue, and discuss objective terms or processes for evaluating a disagreement. It looks like another commenter is taking you up on the bet and I hope neither of you were being sarcastic, because I think betting isn't something to joke about but a wonderful tool that we don't use often enough.

Sad but true. People don't care about this stuff, in general.

Why would they? Who outside our paranoid bubble is doing anything other than being signed into their accounts all the time?

this means that the voice of those who care will be loud and clear, because those who don't care stay quiet. a top 30 post on HN makes a difference.

>"Because they’re not “dying on a hill” at all, because nobody cares."

You are conflating "don't understand" and "don't care." Those are not the same things at all. This conflation seems to be a stable of Big Tech now where matters of privacy are concerned.

>"Nobody outside Hacker News and Twitter infosec people only followed by other Twitter infosec people cares about this."

Awareness of issues and a dialogue concerning them generally starts with people have domain-specific knowledge. The idea that this somehow detracts from an issue's importance is absurd.

I personally know people who think they are signing into Chrome when they sign into google.com. Maybe the Chrome team is right about their larger user base?

They could support both use cases by popping up a dialog on sign-in to a Google web property:

"You're signing into Gmail. Would you like to link Chrome to joebloggs@gmail.com? This will enable automatic notifications in Gmail, sync passwords and web history, and also automatically log into other Google websites when you visit them".

"Yes / No / No, and don't ask again"

Excuse my cynism but the options would be:

"Yes / Ask again later"

You're on the right track but it'd probably be a modal popup with "Google is making things better by inventing foo and elevating bar to the height of technology, as part of this change we'll be cloudifying some technical data. [Accept and Continue?]" with a teensy tiny little x in the corner... possibly burying all these in a EULA update.

I’m thinking just a banner along the top of the viewport with “Dismiss” and “Learn more…” buttons. The latter pops up a window with a small gray “More options…” link at the bottom, which invokes a modal with the options “Continue signed in as Alice” and “Manage Profiles…”, the latter of which allows you to disable syncing while simultaneously deleting all your local bookmarks and browser history.

These last couple of comments were probably some exaggerating pun... But after this story I was running privacy checkup, surprisingly found that my location history was on (after turning it off several times long before, which is a separate question why it turns on), turned it off again and then got 404 when trying to delete it. All this in a labyrinth of often circular links without much clue where the actual switch is.

(A year later) 'Over 90% of our users don't choose to turn these settings off. So we made on the default and removed the option.'

... We passed the point where dark UX patterns deserved the benefit of doubt a few years ago.

If it benefits the company, it's intentional.

This thread got progressively more accurate and more depressing at additional comment

Judging by all those post-GDPR popups I frequently receive the text would also contain some text like “by clicking ‘accept’ or ‘X’ you consent to XYZ.”

Theres almost never a true choice.

You don't have to click on 'accept' or 'X'...

I see where you’re going but that’s just not practicable, isn’t it?

Generally if the notification is getting in the way, I delete it from the DOM.

Given that the popup sitting in my Gmail window currently says

"Update now / Update in 1 week"

I think you're being a little optimistic.

Email harvesting on ecommerce sites have moved on from that to "Yes / I am an evil puppy hater and eat children for breakfast" sort of copy.

Yeah, except:

> This will enable automatic notifications in Gmail

> sync passwords and web history

Chrome 69 does not enable either of these things just by signing into Gmail. (Sync being a separate opt-in has been well discussed. I just tested notifications on a new profile: they're not automatically enabled, and if I try to enable them in Gmail settings, I still get the usual browser permissions dialog.)

> and also automatically log into other Google websites when you visit them.

...and this one would happen regardless of any browser involvement.

I’m still not clear about how exactly this new feature is decoupled from sync. Where is the source of truth for the sync setting — is it in cloud or locally in every browser profile?

If I have chrome sync enabled in browser on desktop a, then login to gmail in chrome on desktop b — is the browser history on desktop b now synced ...?

Also curious whether sync implies that old browser history in desktop b is synced to my account or is it guaranteed to be the case that “only browser data collected while logged in” is eligible for being synced between devices ...?

The question is, what about other sites? Do they also think they're signing into Chrome when logging into amazon.com?

Google services are getting preferential treatment over the rest of the web on a browser with a market share big enough to be subject to an anti trust case. Vestager must be licking her lips right now...

I expect this is the case... I know I myself was thinking a few months ago why Chrome doesn't have the ability to keep the logins in sync. However, why in the world did they enable this by default for people who didn't want their browser to do anything with their Google accounts? It would make sense to keep them in sync when users request to connect their browsers to their accounts, but not when people don't want the two to be connected at all.

Because almost every user in the world wants it connected.

I've been in at least 2 corporate positions where there were strong reasons to separate your personal environment and your professional environment.

I do not want synced browsers between my two environments.

This change makes it inordinately difficult to maintain that separation while utilizing other parts of the google ecosystem.

I use two profiles for that.

I don’t doubt that the Chrome team is right about the problem the majority of their users are facing. It’s just that those users are also unaware of the privacy implications, and supplanting a bad problem with a worse one ain’t a fix.

Maybe the Chrome team is right about their larger user base?

Maybe the Chrome team was wrong to introduce signing in to a browser at all?

> Maybe the Chrome team was wrong to introduce signing in to a browser at all?

maybe, but that would mean that all browser vendors did it wrong. (including mozilla)

> but that would mean that all browser vendors did it wrong. (including mozilla)

I think that's the case, and Mozilla is one of all your friends who are jumping off the proverbial bridge. (Posted from FF, not signed-in.)

Safari doesn't do this (it's part of iCloud, which syncs all docs, not just Safari), and Mozilla doesn't tie signing in to website signing in. I do think this is quantitatively different, esp. considering Google's near monopoly on email accounts.

They are tying website login to browser login, with the intent of merging the two - that's the problem.

To users are Google who are fully invested in that corp having total control of their online life, this fuss will seem quaint and odd, but I do think it will have serious implications long term - people are turning away from search too for similar reasons - abuse your monopoly enough and people will actively seek out other options.

I imagine most people want their bookmarks/history/extensions/settings synced..

Most people have no idea you can even log into Chrome.

I've been considering switching over to Firefox after being a day-one adopter of Chrome and this helped become a tipping point to get me to switch over. Though, full disclosure: I've been working to limit Google services in my day-to-day life (Maps, Gmail, and now Chrome) in the last couple of months over privacy concerns.

I've been using Firefox for quite awhile as my primary browser. I'm now to the point that I only use Chrome for checking websites I'm working on. I've had no complaints about Firefox. For me it is fast and stable.

Does Firefox work with Gooogle Hangouts/Meet/“whatever it’s called now”?

I know they were working on removing the need for plugins in other browsers. Ut last time I checked it was still a bit iffy.

This is what’s keeping Chrom(e|ium) installed on my machines right now. (I have a customer that uses it extensively).

If Hangouts works in Firefox I think I'll uninstall Chrome.

To answer my own question, yes Hangouts does work fine in Firefox. Not tried screen sharing yet but video calls work for me.

Nope. To expand my answer, only certain versions of Hangouts work with Firefox, sigh.

I made the tentative switch last fall to try out their much touted Quantum when it was newly released. A year later and I haven't looked back.

After reading a little I randomly plonked on Brave. Selfishly, I wanted to know if our stuff worked on it- encryption, chunking etc. To my joy, it does and.... Brave is pretty cool. Converted.

I have noticed Xero doesn't work on Brave. Not my product so not so concerned but I'm going to investigate to see what Xero is doing that we are not. ie why my dev's stuff works and xero's does not.

Same, I just made the switch today because of this change. We'll see how it pans out.

> I really expect this change to push a lot of people away from Chrome

Agree with you up until this point. The vast, vast majority of people won't even notice this has happened, or really care much.

Anecdotal of course, but I haven't heard a single complaint among my non-tech friends, and I'm usually the first person they talk to about this stuff (because I'm "in tech"). I also believe Google when they say this change results in a lot less confusion from users (and just so happens to be a strategic benefit for Google, too...)

Not that I want to advocate for Google, but I imagine you could create a Firefox extension that works something like that into Firefox's sync mechanism. It sounds like they're scanning a cookie and then using that to change some other aspect of the browser; unless they've also added some stuff that only Chrome could recognise and work with.

Now I've done making an excuse for it, I think it's a shame that Microsoft fucked up so bad with IE that both Edge and Safari face an uphill struggle. They're both pretty decent browsers that are kind to your battery and aren't bloated with features you're unlikely to ever use.

The extension support is fairly poor for both but at the same time, that's not exactly a bad thing. You browse the web with them and that's more or less it.

> I imagine you could create a Firefox extension that works something like that into Firefox's sync mechanism.

Being able to make something with an extension have having a behavior turned on by default in the browser are very different things.

I’d like to do more in-depth research into this first, but my theory is that this move is innately tied to Google’s foray back into China.

>I don't understand why the Chrome team is picking this hill to die on- their team (managers and developers) are all over twitter and reddit trying to explain the privacy violations away as if the people upset about this are just not understanding what's going on.

link to said threads?

Yeah...and that thread says that the change is basically nothing, just a UI indicator:

> Q: I don’t get, though — if you’re signed in to the browser but sync is off, then what does it mean to be signed in to the browser? What does it do besides sync?

> A: Not much, you can think of it like a Gmail login state indicator.

If that's fully the case, then there's nothing to see here and people are freaking out over nothing. Am I missing an important element here, other than that people don't trust Google?

@__apf__ is being slightly disingenuous when she says "Not much ... like a Gmail login state indicator." Google logins are used across the web by a lot of sites. For instance here's what happens when you visit an Indian financial paper, the Economic Times, using Chrome 69: https://imgur.com/a/nFvxI0U (some personal info has been blurred out).

I almost never visit the Economic Times, and I certainly never log in, but now it gets a chance to log me in using my 'real' identity, and there's even a popup to nudge me in that direction. Any site that implements Google Logins can do this, as far as I can tell. I'm pretty sure most people who chose to enable browser sync in Chrome didn't opt for this.

I think the Chrome team really screwed up on this by not considering how Google IDs are used across the web. And for what? The rather marginal scenario of eliminating confusion in shared-browser situations?

Or they knew the full implications and did it anyway, which is even more disturbing.

It all makes sense if the end goal is for the browser to push google login across the web, and make google accounts the preferred way to log in to websites. In that case they're doing you a favour, it's all in your best interests, as well as Google's of course. [/sarcasm]

I simply don't trust a single corporation that much.

They are not doing me a favor. Software companies need to stop believing their own paternalistic propaganda. Nobody at Google is in a position to determine whether they are doing me a favor or not.

It was sarcasm, this is how the google workers rationalise this to themselves (see other posts on this thread).

Sorry, my mistake.

It's not the case though. Google's privacy policy has two different "modes" for Chrome, one for being logged in and one for being logged out. By tricking people into logging in without their consent they are also tricking people into allowing that extra data to be collected.

Their current argument is that they aren't actually collecting that data- just getting permission to- but that's kind of sketchy and still leaves them open to other changes that do start collecting things.

The other big issue people have with this is that the use case they're talking about- accidentally logging into a site and not logging out- is an issue with all websites, not just Google. Adding a UI for Google services explicitly is something only Google could do, which makes their browser less "neutral". This is why people keep bringing up antitrust. By taking advantage of their monopoly to further entrench that monopoly they are breaking the trust of their users.

You're misreading the privacy policy. Google's privacy policy has two modes, one for sync on, and one for sync off. Logging into Chrome does not turn sync on, so you can be logged into Chrome and still covered by the "basic" privacy policy.

They aren't actually collecting that data because you haven't turned sync on.

Yeah, well, but what keeps them from silently changing that, seeing that users are already logged in? The UI for the sync preferences is sketchy at best as it is right now and you're basically just one misclick away from handing all your browsing data over to Google.

It's almost a certainty that they will continue down the slippery slope and start syncing data automatically in a future update. That sort of change has happened several times, so there is precedent.

But can't you protect your synced data with a passphrase?

According to the Chrome privacy policy the synced data is inaccessible to Google if it is encrypted with a passphrase, even though this encryption seems to be weak: https://palant.de/2018/03/13/can-chrome-sync-or-firefox-sync...

Reducing their userbase is exactly their aim. They are doing that the only way possible that won't bat an eye. Firefox has to grow so that chrome is no longer considered a monopoly.

Well they could start by removing the nag box on their home page asking non-Chrome users to switch to Chrome.

I believe there is a purposeful propaganda war being directed against Google and Facebook here on HN and elsewhere in the media. I am not sure who is behind it, but my best guess would be Russia or China as they would have interest in this. Most of these posts against them are very flimsy, but they get huge upvotes.

Because they have business requirements that depend on people using this feature.

> I don't understand why the Chrome team is picking this hill to die on- their team

Really? That one is easy to understand. Google is a malware company and anyone that cares about privacy wouldn't work there in the first place.

> their team (managers and developers) are all over twitter and reddit trying to explain the privacy violations away

That's literally their jobs as Chrome evangelists. They're just doing what they're told.

Because a lot of it is FUD.

I've never signed into Chrome, but I am able to access 2 Google accounts... and Chrome still shows me the "Sign into Chrome" option.

Version 69.0.3497.100 (Official Build) (64-bit)

(I normally just use Chrome for development)

I can see why they thought this was a good change. It makes the UX for G-suite apps much more pleasant, almost like you get the full functionality of G-suite productivity stuff as part of installing Chrome. For most people, that's a good thing.

I think as tech people we systematically tend to under-think the second-order effects of the systems we build. Case in point, Chrome and G-suite being that closely integrated brings up serious privacy concerns, and the part where the Chrome team doesn't seem to appreciate the nuance reflects poorly. I do cybersecurity now (didn't used to), and a good number of problematic things I run into just come from engineers like my previous self not thinking through the security implications of a specific design, mostly because not thinking about security means shinier UX delivered on less resources.

Just another example I encounter regularly: I use U2F to sign into my Google accounts. However, when you log in, the checkbox to "trust this computer" is checked by default, meaning that if you're not paying attention your account will get automatically downgraded to single factor authentication going forward. It's a clear nod to convenience, but done this way it makes you shoot yourself in the foot.

I can see why they thought this was a good change.

It's a good change only if you are permanently logged in to google services, which is probably why it seemed like a great idea to the Chrome team, who probably have no idea how much distrust Google has started to build up. It moves the browser closer to an app runner for google services - I'd understand that if this was on Chrome OS or a specific 'Google' app, but in a general purpose browser the browser chrome should never indicate login state about specific websites, nor should my browser be logging in to google itself. It was bad enough when that was a choice for users, now it is one policy change away from being obligatory.

This is how we end up living in a world where google has access to all your data. I've switched browsers due to the move, not just because of this specific action, but because combined with all the other dark patterns Google has engaged in recently, and their clear moves to abuse their monopoly in search, it tipped me over the edge.

I no longer use google search (have been using ddg for a while), and now no longer use google browsers as a result of their disregard for user privacy.

Just use different browsers for different things man, this isn't even hard. I seriously do not understand the outrage over this. Half the websites we visit host their fonts on Google domains, where is the outrage over that?

Why use Chrome at all? I'm not outraged, just voting with my feet.

> Half the websites we visit host their fonts on Google domains, where is the outrage over that?

Copy that. Thats a serious privacy leak, Referrers, none of the adblockers handle today.

uBlock blocks remote fonts. Between sites hosting their own assets becoming old fashioned and font's being used for icons it breaks a lot of things.

I'm hoping CDN's get the same privacy treatment as facebook and the like have been getting lately and we can go back to a self hosted world.

ublock Origin blocks third-party content, including silly fonts hosted by Google, just fine for me.

I recall seeing fonts.googleapi.com being allowed by uBO (in medium mode) once, so it needs be double checked.

Also, it not just fonts, but jquery and other stuff. And two places to check: Referrers HTTP header and meta element Referrer Policy of the page

> your account will get automatically downgraded to single factor authentication going forward.

*your device

If someone has access to my desktop PC, they also have access to my yubikey anyway.

No, I definitely meant "your account". Specifically, I meant that you will accidentally trust devices you log in on that you might not be aware of, which exposes your account to unintentional reduction to single factor. I don't only log in at home.

If Google switched it to not trusting by default, you could still trust whatever device you want, just without the risk of a default behavior working against you.

Yubikey still saves you from a PC malware but I would suggest anyone not to store your yubikey besides your computer (or laptop bag) but to attach to your phone/keychain so it's on you all the time since it's safer that way.

If someone breaks into my apartment, I have more problems than losing my Yubikey. And my threat scope does not include agencies that would get my passwords AND be able to break in and steal my key. And if it did, I would think they could just take it from me.

Chrome has been the new IE for years. "just use chrome" is an endless refrain from webdevs who don't want to test on Firefox. Not sure why it is so hard for people to see what is going on here. Google has a massive conflict of interest with their web development efforts. This is classic Microsoft-esque Embrace, Extend, Extinguish.

That's a bad example. In technical progress, Chrome is the complete opposite of IE (which seems to be replaced by Safari these days) and way better than the rest in pushing forward new features. Also 99% of the time Firefox and Edge work just fine.

EDIT: Yes, IE was great in the beginning, but then it stagnated and earned the wide reputation of being terrible obsolete anchor that it is now known for. It's with this late-stage IE that I don't see the comparison since Chrome is still on the cutting edge.

Some of Chrome's decisions are definitely IE-like.

For example, the FF team felt that flex/grid should become the new layout standard, and deprecated or accidental behaviors of the past could be sunset by doing it right on Flex/Grid. So, for example, margin-top: 10% would be percent of height instead of percent of width when on a flexbox or grid item.[1]

Chrome did it their way and wouldn't discuss the issue, and eventually FF caved because Chrome has a near-monopoly.

This idea of implementing bad design and forcing it on the world, won't end well for the user.

Not to mention the whole recent hullaboo about hiding the www / m / whatever prefixes.

[1] https://github.com/w3c/csswg-drafts/issues/2085 [2] https://news.ycombinator.com/item?id=17927972

IE at its core was technically very advanced, way faster than Netscape, and pushed a ton of new features.

Dynamic HTML as it was called, CSS, encryption, and so much more stuff came to IE before any of the competitors.

Then it became the IE6 we all came to know. The analogy with Chrome starting as a trail blazer and progressively taking the same trajectory is perfect, really.

How is Chrome taking the same trajectory when it is actively developing and releasing new features?

As far as I can tell, it's still on the bleeding edge and only recently met there by new advancements from Firefox.

That is known, but the point is that IE stopped. That has been reported somewhere, can't find a useful link right now but I remember the discussions. It was reported - and what was observable matched the description - that as soon as Netscape was out Microsoft stopped pretty much all their efforts, and IE became the laggard that due to its market share prevented innovation and became a huge obstacle for quite a long time, until loss of market share and the rise of the web app forced their hand.

I can confirm this. I used to work on the IE team. Went from a team of hundreds to just a handful.

"Being on the cutting edge" is exactly how Embrace, Extend, Extinguish [1] works. The "cutting edge" is the "extend" part. When Google uses their market position to make their desired functionality, service or standard the new hotness other vendors have to either adopt that standard or be left behind. When those standards are something Google themselves created that benefits them directly (and harms competitors) they are extinguishing those other vendors.

This is directly out of the Microsoft playbook and is why IE became as despised as it is.

[1]: https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

What standards of Chrome are harming competitors? We have a lot of major progress in web standards because of Chrome going first and getting it done. Even Firefox has built novel new rendering with a brand new language.

Meanwhile Safari and Edge continue to lag behind with basic features. Either way extinguish only works if there's no ready competition, which is not the case here for the majority of users.

    That's a bad example. In technical progress,
    Chrome is the complete opposite of IE 
When IE started to _gain_ internet share it was a paragon of technological development. It was far faster then navigator, more reactive and performant.

Only little-by-little did Microsoft start adding in features no other browser supported. By the time the mid-late 00's roll around and Chrome was released. IE was this red-headed step child, with a lot of unique Microsoft only extensions.

Chrome is walking the same path, a technological superior browser slowly breaking compatibility with the rest of the web. But in such a way that developers _arent too unhappy_, but enough that most business users, and home users keep using it.

Saying Safari is the new IE is a short sited look at only the tail end of the problem from IE7 or so out. When IE was this slow laggy thing people kept around from Windows XP. Instead you need to look at Chrome like somebody would look at IE4 compared to Netscape Navigator. Sure IE4 breaks standards, but custom webfonts, OpenSSL encryption, ActiveX containers! All these new tools developers can use to make a richer more interactive web experience!

Code formatting quotes makes quotes very difficult to read on mobile. I wonder why we couldn’t just use quotation marks?

HN is so non-optimized for mobile to the point of user hostility why bother?

I think you forget that in it's time IE was massively innovative.

It was IE who added XMLHttpRequest and invented AJAX.

They did it by ironic accident.

Bill Gates wanted their browser to be the best, but also wanted it not good enough to replace desktop apps. However the right hand didn't know what the left hand was doing. The Outlook team was told to make a web version. They got the IE team to add XMLHttpRequest for their use, everyone implemented what they needed to, then went home and forgot about it.

Then Google recognized what the feature allowed, and used it in gmail and maps. The rest of the internet said, "Wait, what, you can DO that?" Studied it, popularized the technique as AJAX and the rest is history.

Gmail was not even close the the first Ajax based email not by MS. Oddpost which later became Yahoo mail (Yahoo bought them to upgrade their mail) preceded Gmail by a few years.


That may be, but the original articles that I saw making AJAX the new hotness referred to gmail and Google maps.

Furthermore I remember gmail's keyboard shortcuts being a shock to a lot of people. Me included.

This origin story of XMLHttpRequest being an afterthought explains why the class name has inconsistent capitalization which interestingly enough I never noticed until now.

You can find verification of it in the various references provided in https://stackoverflow.com/questions/12067185/why-is-it-calle.... In particular https://web.archive.org/web/20170424220609/http://www.alexho... is a snapshot of an explanation from the person who actually created the feature.

Many style guides for CamelCase recommend not writing acronyms in all caps past a certain length.

It's possible that Microsoft's style guide at the time set three characters as the limit.

> It was IE who added XMLHttpRequest and invented AJAX

...in 1999. Then IE6 was released in 2001, and then Microsoft scrapped the Internet Explorer team and didn't release another browser for 5 years, leaving us with 90%+ of users stuck on IE6 bugs and non-standard features.

That's what the GP is talking about.

... which occurred during/after the anti-trust case against them (which led to Bill Gates stepping down as CEO). If we wanted to be honest with our commentary, you would have to realize that to compare apples to apples, you have to compare Chrome to IE 3-5, not IE 6.

XMLHttpRequest was nice but hardly necessary, you could do same thing with frames. Just another little trick so Outlook Web Access would suck on the standards browsers. Oh, and of course it required ActiveX for no reason but to limit it to the Windows platform.

And IE4 added webfonts, still doesn't mean that IE6 & 7 were the least standards-compliant browsers of their time, in contrast to modern day Chrome.

> "just use chrome" is an endless refrain from webdevs who don't want to test on Firefox

This. I get to hear this from my colleagues at work all the time.

> "just use chrome" is an endless refrain from webdevs who don't want to test on Firefox.

Not at all. I used to start developing while netscrape was still a thing. Chrome is (and it was) a bless for developers. I try firefox like once a year and see no reason to switch.

THe actual case is also no reason to switch (for me) but ill watch it.

This seems to reinforce my statement? Chrome may be easier to develop on but that means sites break on Firefox or other browsers when Google differs from those other vendors. Google abuses this market position and developer preference.

Safari is the new IE, Chrome has been responsible for a huge number of positive changes in the browser landscape.

I develop in Chrome because that's where the majority of our conversions come from.

I (my QA team) also tests Safari, Firefox and other browsers where a significant number of conversions come from. I never heard "just use chrome" in any professional environment.

Same was true for IE, IE for instance pioneered asynchronous requests (which is pretty much the norm these days) and things like that - still was a bad browser though.

That's one point of comparison that glosses over Chrome's compliance with standards in stark contrast to IE.

Google is just playing the game (embrace, extend, extinguish) - meaning the outcome they try to achieve is the same.

I think the difference is that IE stopped innovating once they had the market cornered. Chrome is continously on the cutting edge of features and specs, even after it became the #1 browser.

It became bad when it stopped making progress, because the team was largely disbanded and the product stagnated in maintenance mode.

This reinforces my point about "just use Chrome". Google knows devs like Chrome and they make it easy because if more people use Chrome they can abuse their position to shape the rest of the internet to their preference. Why do you think they put energy into Chrome at all if not to get more eyeballs on Google services?

What I find troubling about this incident is not so much the change itself, or even how quietly they did it. It's the doubling down when users became critical. Rather than a "Okay wow, we clearly misunderstood the impact of this change and regret pushing the change without proper announcement or informed consent. We'll work to fix this." the messaging feels much more like "You're wrong to be upset. Trust us."

I think it's worth remembering that the userbase of chrome is huge and largely non-technical (i.e. they're not going to be on hn, twitter, reddit etc. voicing their opinion on the privacy implications of this change). What if for that big proportion of people the change is a net gain? Should it be reversed because the change is a net loss for a small subset of people?


> My teammates made this change to prevent surprises in a shared device scenario. In the past, people would sometimes sign out of the content area and think that meant they were no longer signed into Chrome, which could cause problems on a shared device

I can see why there is pushback against this, but the issue described above is also understandable. There are valid reasons why "average" users would rather have this, and having unsynced or completely mismatched logins between Chrome and Google sites can lead to confusion for many who don't really see or care about a difference between them.

However it would be best if Chrome kept the settings to disable this. It doesn't make sense to remove those flags when they also have a large technical user base. Seems like good intentions but misjudging the impact of the decision and forcing it on everyone without recourse.

Except this doesn't actually "prevent surprises in a shared device scenario" for the web, in general; it does for Google sites and services only. Logging in to Facebook or Amazon or my personal blog does not show up as a browser indicator, nor does logging out of the browser also log one out of Facebook or Amazon or my personal blog.

This makes Chrome less of a browser and more of gateway to Google services that happens to include a browser. Which will also trick non-technically-savvy people to accidentaly share their non-Google logins when sharing computers/"browsers".

Maybe they want every site to use Google for authentication? If that's their wish, then I so much wish Mozilla hadn't failed with BrowserID.

Yes, but as I said, most people probably do consider it a single gateway to all of their Google services, browser included.

The big difference is that your Chrome account is your Google account, unlike any of the other sites you mention.

People are perfectly capable of distinguishing between browsers and websites. For example, users have no problem logging into Facebook with Chrome.

Auto-signin only adds confusion. Many (most?) users have no reason to associate their browser with a Google account. This is something that Google is pushing unilaterally, just like Google+/YouTube integration. As an advertising company, they stand to benefit from more accurate user tracking.

Capable? Sure. But probably not interested in the difference.

Again, the Chrome account is your Google account so you're not associating anything, you're just logging in. It's different than any other example where the website has a different account. Signing in to Chrome and then into Gmail is not what most users would expect because for them the browser really is just another Google service.

There seems to a big (and sometimes willing) misunderstanding from HN/tech users about the mainstream population who just want things to work.

> The big difference is that your Chrome account is your Google account, unlike any of the other sites you mention.

Then Chrome should be just a Google Services Client app. It shouldn't pretend to be a browser. It shouldn't allow one to log into "any of the other sites", in the first place.

If that’s the explanation, the solution is to logout the browser when the user logs out of a google service.

That would follow the users expectation (based on their observation).

Logging the user into the browser, on the other hand, is not directly related. And potentially unexpected for the user.

They could have had one without the other.

I sort of want Google to go further with this change, and simply have a "Sign in to Chrome, Google Sites, Amazon, and everything else" button.

In fact, it could also sign you in to local applications like Photoshop and Word.

They could call it the 'logon screen'.

I'm assuming you're joking. But you can use Chromebooks if you want to remove the separate OS layer for simpler uses.

Yes, it's a joke. The problem of multi-user devices has already been solved, and in a manner that works for all applications and sites, not just Google's.

In other words, the given motivation for this change rings hollow.

They could have simply put a note on the logout page. "You are now logged out. If this is a shared computer, don't forget to log out of your browser profile and any other sites too."

Their excuse sounds like parallel construction, as I refuse to believe one of the top IT companies in the world can't see why this solution is so bass ackwards.

They know exactly what they're doing, and it's the reason I went from a huge fan of Google products and early-adopter/beta-tester of everything possible, to scrubbing their existence from my and my family's life.

I am baffled by The particular Article 25 of GDPR is rarely seriously and meaningfully discussed in practice, not least because probably still almost nobody actually knows what the “data protection by design” even means.

This seems to be a confusion straight out of a five-stages of grief denial of GDPR principles.

Let's work this through:

Step 1: Are you collecting personal data?

Step 2: If so, are you obtaining consent prior to collecting this data?

Step 3: Are the instructions to the users transparent and understandable?

Step 4: Is your system designed to handle these?

Or is it hard, and since we haven't had to do it before, I would like to get out of this requirerment?

Hi, original author of the linked post here. Thanks for the input. However, consent is not related to the concept. In fact it's more about taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Additionally, the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact