If you’re among the billions of people using Chrome, then Google’s stark new data harvesting disclosures should come as a nasty surprise. Worse, a new Chrome revelation, one that hasn’t yet made headlines but which is detailed below, should serve as an even more serious warning. Here’s what you need to do now.Google is under fire this week, after the surprising amount of your data harvested by Chrome has been disclosed. This is a genuine threat to your privacy. Worse, a more serious issue for Google, detailed below, hasn’t even made headlines yet. Chrome is totally out of step with Safari, Edge and Firefox, shattering Google’s “privacy first web” claims. All of which should give you a serious reason to quit Chrome today.
Last year, when Apple said that it would force app developers to disclose the scale of data collected and linked to its users, all eyes turned to Google and Facebook. Many suspected that this level of scrutiny would shine an alarming light on the world’s two most valuable data machines. And that’s exactly what has happened.
The issue for Google is that, unlike Facebook, it sits both sides of the fence. Guarding your privacy on one side—with Android and and its mail, docs and drive ecosystem, and an advertising behemoth on the other, collecting $100 billion plus in ad spend, the majority of its annual revenue. In that regard, it’s really no different to Facebook.
And so, there’s little surprise that Apple’s mandatory privacy labels have shown these two ad giants to be well out of step with their peers when it comes to collecting your data. If your business model is monetizing your users’ information, then you’ll want to collect as much as you reasonably can—and Google and Facebook don’t disappoint.“Google doesn’t care about protecting user privacy,” privacy-centric DuckDuckGo warned this week, when Chrome’s privacy label was finally revealed, “they care about protecting their surveillance business model. If they really cared about privacy, they would just stop spying on billions of people around the world.”
DuckDuckGo focused on the data that Google collects, linked to its users. But there’s a different dataset in the detail, included below, that’s much more damaging to Google and which shows Chrome to be shockingly different to its major rivals.I have already warned that Gmail collects more data than other leading mail platforms. In its defense, Google pointed me at comments made by CEO Sundar Pichai, that “we don’t use information in apps where you primarily store personal content—such as Gmail, Drive, Calendar and Photos—for advertising purposes, period.”
You’ll note that Chrome isn’t on that list, nor is it an app “where you primarily store personal content.” But it is an app where you enter private and sensitive search terms and conduct private transactions. But what Chrome does have in common with Gmail is an avaricious and out of step approach to data harvesting.
Google took its time adding privacy labels, with a gap between app updates of some three months after the labels became mandatory. But now we can see the detail for Chrome, just as we did for Gmail. As I commented on Gmail, protecting user privacy is a binary philosophy, “you either believe it’s the right thing to do, or you don’t.” And these new labels have made Google’s (and Facebook’s) privacy claims sound hollow.Just as with Gmail, Chrome collects your user ID and device ID in too many categories. Unlike Safari, Edge and Firefox, Chrome says it links all harvested data to devices and individuals. Safari collects but doesn’t link browsing history, usage data and locations to users. Neither Firefox nor Edge link usage data. But Chrome says it collects all those data fields and links all of them to user identities.
This isn’t complicated. The fact is that Chrome collects more data than any of the other browsers, yet is the only one that doesn’t appear to collect any data that isn’t linked to user identities. This is a much more shocking illustration of the different philosophies at play. Chrome hasn’t even attempted to protect its users’ privacy in this way. This isn’t about specific data fields, this is about an overarching attitude to privacy.“You don’t become a multi-billion-dollar company without grabbing as much data as you can then monetize,” says Cyjax CISO Ian Thornton-Trump. “It’s like there’s some sort of crossroads well maybe a three-way intersection. Collect all the data you can, collect all the data you need or collect the bare minimum of data. The companies in the bare minimum category are few and far between.”
“Why does a web browser need my financial data?” asks security researcher Sean Wright. “I think that says it all really. I really struggle to think of a suitable justification for that.” Google will argue that you can elect to provide your financial data when you choose to transact. But it’s yet more data collected under the guise of convenience.
Google didn’t offer any comments in response to this story, but did insist that the justification for its data collection is to provide features and functions—for example tailoring searches to a user’s location. Again, this misses the stark difference between an in-session function and collecting linked user data, as suggested by its privacy label.
Google’s viewpoint, that it only collects the data needed to provide its service, is the same rationale WhatsApp gave me for collecting its own treasure trove of data. The issue with that reasoning, though, is that competing apps that collect significantly less data offer similar features and levels of performance and security.
Clearly, not every user will provide every data field on the privacy label to Google—they’re intended as a worst case, this is the data that could be collected. This is why comparisons are so critical—no privacy label should be taken in isolation. It’s also wrong to only compare mainstream apps with privacy-first specialists. Chrome versus DuckDuckGo, or WhatsApp versus Signal, for example.
Comparing Google, Apple and Microsoft makes more sense. Looking across both emails apps and browsers for the three tech giants does not paint a pretty picture for Google—bear this in mind before you install its apps on your phone.On the surface, Google does appear to be making privacy-related changes. Google told me it will “no longer use the Identifier for Advertisers (IDFA)… on iOS for personalized advertisements and ad-related measurement in the near future.” Google has also committed to ending cross-site tracking cookies. But the devil’s in the detail, as seen in the news this week that Google killing these cookies might be anticompetitive.
Google makes its money selling ads tailored to you as an individual, contextualized by your search or activity. Most of those ads are geared around search queries. And so, Google’s plan to replace cookies with so-called Federated Learning of Cohorts (FLoC), a clever way to say the “anonymization” of individual users into groups of individuals with common characteristics, is the kind of cleverness you’d expect from an ad giant.
The shift to FLoC has been criticized as putting too much control and, ultimately, monetization in Google’s hands. And, because this approach is handled by the browser you use, that control is enabled by Chrome’s dominance of the browser market, with a greater than 60% market share. “Users and advocates must reject FLoC,” says EFF, “and other misguided attempts to reinvent behavioral targeting. We implore Google to abandon FLoC and redirect its effort towards building a truly user-friendly Web.”
You might decide that you don’t like your browser analyzing searches and collecting your data to target you with ads. You might assume that a browser alleged to have tracked users even when those users enabled its “incognito” mode isn’t a privacy-first kind of platform. You might also ask if Safari and Edge deliver a degraded service absent that data harvesting. Remember, you can use Google without Chrome.