New Chrome Sign-in Fears are Overblown
A feature update that would be a non-story for almost every tech company can turn into a massive headache for Google. So it goes with the new Chrome auto-sign in feature:
A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. See further below.)
That description is from the top story on Techmeme this morning, a blog post titled “Why I’m done with Chrome.” The blog post comes about 10 days after a contentious Hacker News thread about the same issue. The story has yet to reach the mainstream tech press, but it will if journalists can figure out a way to simplify it. [Update: TechCrunch picked it up here]. There is a specific lesson in this for FB and Google lawyers and a more generally-applicable one for the rest of us.
Google's Lawyers Have it Worse than the Rest of Us
First, the specific lesson. If you are a Facebook, Google, or Uber attorney and are launching a product feature that is even tangentially related to privacy, make sure you’re prepared—with talking points and social media responses, a blog post, a privacy policy update, and anything else that could be relevant—because someone is going to view what you did in the worst possible light, even if the feature is benign. Take the article excerpted above. The author’s complaints aren’t that Google is actually obtaining data that it shouldn’t but that it could.
If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome [i.e. signing into Chrome] . . . why should I trust any other consent option you give me? What stops you from changing your mind on that option in a few months, when we’ve all stopped paying attention?
The answer to that question, of course, is the Federal Trade Commission's consent decree that strictly prohibits Google from doing so. And that consent decree has teeth. Google was fined $22.5M for violating it in 2012 (I imagine that fine would be 10x today).
The author’s other complaint is that the UI is confusing: "what happens to my data if I click it by accident?" I mean, good call on objecting to a potentially confusing UI design. But I don't see a clear intent to deceive and confusion is in the eye of the beholder. My larger point is that, for someone like me who never worked at Facebook or Google, the thought that this auto-sign-in-to-Chrome change would make it to the top story of Techmeme is . . . surprising.
Derail the Bad Publicity Train Before it Gets to the FTC or an EU Privacy Regulator
Privacy gaffs/oversights can lead to legal issues, and they follow a predictable escalation pattern: Hacker News discussion→ blog post → mainstream tech press article (e.g., TechCrunch)→ mainstream news article (NYTimes) → FTC investigation. Each one of those steps gives you a chance to defuse the issue. Like, if you address the Hacker News discussion, there probably won’t be a blog post and so there won't be any press and a resulting FTC investigation. So if you see a negative Hacker News story about something you’re doing, get your ducks in a row. Google updated its Chrome privacy policy today, 20 days after the update, to call out the fact that Chrome sign-in works differently, but, as of the morning of the 24th, hasn’t blogged about the update or provided a redline. (note: https://www.diffchecker.com/ is a quick way to view changes to PP and TOS). I don’t think this Chrome change will rise to the level of an FTC investigation, but in today’s political climate, who knows. And why risk it?