Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The sync thing was overblown. The cookies thing was a bit more concerning to me.

Not so much from a privacy angle but from more of a 'Chrome has lots its way' angle.

A lot of our software's more complex interfaces are Chrome-first since its faster to develop - yesterday was the first time I made a serious consideration to change that approach.

Glad to see they are listening to user feedback and reacting quickly.



> Glad to see they are listening to user feedback and reacting quickly.

I consider an opt-out as paying lip service to the feedback. Clearly they feel the default is more important than the generated angst. Reaction clearly needs to be even stronger to affect real change. An opt-in (e.g. a dialog on next Google login from Chrome asking for feature enable) is a compromise, an opt-out is to appease the temporarily upset while keeping all that they added in place and defaulted.

This is not an olive branch, don't accept it, condemn the continued incremental marriage of Google browser+services, and continue to move on and de-google yourself where you reasonably can.


You seem to be looking at the choice of opt-in vs. opt-out from the perspective of a user who actually cares about the feature.

Much more common, though, I'd say, is the type of user who will accept whatever the default is, because they just don't care.

Compare: the organ-donor registry. When it's opt-in, most people don't opt in. When it's opt-out, most people don't opt out. Most people just don't care.

If you think something is good for people, you have to consider the large group of users who don't want to put in the time/energy to evaluate whether the thing is good for them, but just want the program to shut up and do what it does by default—whatever that is.


It’s not just that the user doesn’t care. I don’t want to have to monitor constantly hackernews to find out what new invasion of privacy google will sneak in discretely, even if there is a switch somewhere to opt out. I want to be able to rely on the tools I use.


The issue with this line of thinking is that this change isn't really a privacy invasion. Account consistency didn't at all affect privacy. You still had to opt in to syncing, which did affect privacy.


I would be surprised if it didn't affect google's capacity to track you nominally.

When I flush all cookies from my browser session, and open a new session, I am a new user to google's various tracking mechanism. If I am an authenticated google user, then I am not.


I would agree that there was at least potentially an issue due to it re-logging you in. But I'll note that no one wrote a blog post about that. Someone just mentioned that on twitter after this was already a big "controversy".

In other words, you had half of HN claiming to be leaving Chrome over something they had no reason to believe had any privacy implications, and in reality, has either 0, or really close to 0, actual privacy implications.

I made a claim about HN being a small group in the grand scheme, and someone countered by claiming that most users didn't understand what was changing. But I think the funny thing is that the average user, who had the understanding that "literally nothing" was changing, would have been closer to the truth of the situation than the average HN commenter.

Not to say that the result of the hullabaloo was bad, I actually think this set of updates only improves things over where they are now, but its still a really strange sequence of events.


No the problem is tracking. It basically makes google tracking cookies un-deletable. I don't see how this is a non-issue from a privacy point of view.


Well no, logging out in the browser would still delete them.

This is kind of what I mean, you can't talk about this without hyperbole.


But if it re-logs you back in when you re-open the browser, it may be technically a different cookie, but it is a cookie with your real identity attached to it (as opposed to an anonymous cookie like if you started a fresh session on an older version of the browser). So practically, that has the same effect that if the cookie was never deleted.


The parent means, logging out and staying logged out of the browser, would have exactly the same behaviour as logging out of your Google Account would in Firefox.

The whole point of the feature was just that:

1. “are you logged into your Google Account from the perspective of Gmail et al” is now the thing the browser chrome itself reports; and

2. you now need to be logged into your Google Account in the cookies sense for Chrome sync to function; logging out of your Google Account turns off Chrome sync.

Before, people could be in a state where they have Chrome sync enabled with foo@gmail, but are not logged into foo@gmail from a cookies perspective, and are potentially even logged into bar@gmail.

This is the state that has been eliminated—now, the browser chrome’s login state reflects your Google Account web-cookie login state, because they’re one-and-the-same; and every method that logs you out of your Google account from a web-cookie perspective, also logs you out of Chrome (and vice-versa.)

Consider the privacy implications of someone who logs out of Gmail, but is still logged into Chrome sync as said Gmail user; and then lets someone else use the computer. That is what is no longer possible.

It’s a privacy improvement targeted at the people who expect “logging out” of their Google account to be one unilateral action that frees a computer of all artifacts related to their original logging-in. Which, until recently, wasn’t true: if you originally logged in by entering your credentials into the “new Chrome profile wizard” (where they set up the credential as both your synnc and web-cookie credential), and then logged out of one, it wouldn’t affect the other.


No, I mean you can log out of your Google account in the browser and it actually logs you out. Deleting your cookies does re-create a cookie (which is weird), but logging out in browser (I see it as "Exit Joshua" on Chrome on OSX) deletes Google cookies and doesn't recreate any.


It is difficult for me to assess the validity of this statement. I cannot tell if the behaviour is or is not a privacy invasion. What I can tell is that it is not in the direction of greater privacy. That it is not a feature I'd requested, want, or am comfortable with. And it's in line with multiple past trust violations.

That Google are announcing walking this back within days of release and publicity suggests some measure of the storms roiling the 'Plex presently.


>What I can tell is that it is not in the direction of greater privacy

For you, it may be a no-op, but for many users, it is a net increase in privacy (people who use multiple accounts or who use accounts on shared computers).

>That Google are announcing walking this back

Erm, sort of, I guess. There are some small changes.


...for many users...

What numbers, precisely, do you have on this? Because it sounds to me as if you're arguing from a position of ignorance.

There might be some benefit to the small number of users who 1) have multiple devices and 2) share one or more of those amongst several other people in the same account in ways that this Chrome feature ... might address. But this doesn't strike me as some overwhelmingly large use case.

The system for user separation on shared computers is called ... user accounts. Which every mainstream consumer operating system has supported for the past 17 years (Windows XP being the latecomer to this game.)

Otherwise, this is a broadening of Google's ever-expanding ingestion of user data, either directly or by way of one more (or an incremental series of) "small change". If I notice my enemy maneuvering me to his advantage, I counter that maneuver. In my case, it's meant uninstalling Chrome and Chromium from any systems on which that's possible.

(My much-regretted purchase some years ago of an Android tablet being the primary exception, though I'm resolved to not repeat that mistake, despite a dire lack of viable market options presently. Purism and Ubuntu may be nearing useful products.)

...small changes...

In the Universe in which I inhabit, Google specifically addressed user feedback and sign-in changes. I cannot find your characterisation of their announcement as accurate under any charitable interpretation.


I don't have that data on hand, but the chrome team apparently does.

Certainly, for you or I, user accounts (and incognito windows) solve most of the problems that this change fixed. But most users aren't you or I.


Google's claimed usage data has stood up poorly to my investigations in the past.


If you think something is good for people

Therein lies the disagreement - Google thinks it is good for people to log in to Google services via their browser, and to always be logged in (it's certainly good for Google!), therefore they choose these defaults, opting in to login and to tracking.

Many disagree.


Like Apple thinks it's "good for people" to have a 40% markup on their product...


If you want to participate in a debate or discussion, then ddo so. Whataboutism, deflection, projection, etc., are not that.


> Compare: the organ-donor registry. When it's opt-in, most people don't opt in. When it's opt-out, most people don't opt out. Most people just don't care.

Most people don't know it exists or that they have an option. You cannot care about something if you don't know it's there.


> Most people don't know it exists or that they have an option. You cannot care about something if you don't know it's there.

Most people won't know that these chrome features exist. Most people don't go digging through options and settings, they just download chrome and go, go, go.


Exactly. Same as the organ donor thing. They don't KNOW. If they knew they would CARE.


The cookies thing could be seen as a bug: the button does remove the cookies, but because your google sign in state is now tied to the browser sign in state, new cookies will immediately be set.

To fix this, the “remove cookies” button would also have to sign you out of chrome which would also feel weird from a UX perspective.

All in all I think this was just released a bit early before all UX edge cases could be tackled (or even discovered. Sometimes you find things only in wider rollouts)


If exempting Google's cookies from being cleared was a bug, they would not have added a message in the UI that "you won't be signed out of your Google Account":

https://twitter.com/ctavan/status/1044282084020441088


> The cookies thing could be seen as a bug: the button does remove the cookies, but because your google sign in state is now tied to the browser sign in state, new cookies will immediately be set.

Then maybe tying the Google state to the browser state was a mistake and should be reverted?


>A lot of our software's more complex interfaces are Chrome-first since its faster to develop - yesterday was the first time I made a serious consideration to change that approach.

Heh, I wonder if the next privacy blunder from Google will make you further reconsider your "voluntary vendor lock-in" approach :)


I said Chrome-first. Not Chrome-only.


I'd still ask to consider a Firefox first policy.

I've been using Firefox as my main dev browser for years and it has a huge, practical advantage:

- Usually it Just Works in every mainstream browser (had one single case in the last year where it broke in another browser).

My colleagues who use Chrome has to fix QA bugs more often than me it seems ;-)

Bonus: Support a good cause (cross browser compability)


yeah like in "this is just temporary code we put in production, we'll clean it later" :-) :-) </joking-with-a-touch-of-cynism>


I disagree the sync thing was overblown. A website's cookies and the internal functionality of the browser are conceptually very different and (up to now) well differentiated concepts. Mixing them up and blurring the lines between them is just a portal to confusion of the average user, who is already confused enough.

I fear that changes like this will eventually make it impossible to effectively explain to an average user even the basics of how the web works.


Google's claim (which I'm inclined to believe) is that the previous state is more confusing to the average user. While we think in terms of "content" vs "browser", apparently the average user does not, and finds it confusing that part of the browser is signed into Google, but part isn't.


That may be, but that doesn't mean the concept should be abandoned and the browser married to the content in inexplicable ways. At least the way things are now, I am able to understand what is going on and teach it to my parents. If the non-average users also stop understanding what is happening behind the covers, is there any hope left for the open web?




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: