September 30, 2010

Warning: Google Chrome Apparently *Removing* Key Privacy Feature

Greetings. Last March, in Why I'm Switching to the Google Chrome Browser (New Privacy Enhancements), I enthusiastically endorsed Google's Chrome browser, and explained why I have switched to it from Mozilla Firefox.

I hope I'm not forced to reverse that decision. But I am quite concerned about a new development.

Google announced today that their URL shortening system "goo.gl" had gone public for general use. (I discussed an issue related to this in an NNSquad posting earlier today.)

In the process of experimenting with goo.gl, I ran into some login problems that appear to have related partly to my use of the "block third party cookies" option in Chrome -- this sort of setting is widely recommended by various parties regardless of your browser choice.

But looking deeper, and after seeing different behavior in Firefox testing, I discovered what appears to be a much more serious Chrome cookie-related problem.

It seems that the new Chrome beta (7.0.517.24) -- being automatically pushed out now -- has (with no warning whatsoever) removed what I consider to be a key functionality, the cookie control setting that allows you to be queried for a decision whenever new cookies are being offered, and permits you to determine how cookies from related sites will be handled in the future.

Suddenly I realized why I've been getting e-mails today from people complaining about Chrome cookie problems that they didn't understand.

It was the original appearance of this extremely useful setting in Chrome (it has long been available in Firefox) that allowed me to personally move to Chrome as my browser of choice, and to also recommend Chrome to individuals and enterprises who are concerned about privacy and security issues.

Without such a setting, or an alternative means to access equivalent functionality (e.g. through a browser plugin/extension), I will likely be forced to move back to Firefox, and recommend the same course for most other individuals and firms.

It's no doubt true that many Chrome users have never accessed this feature, and choose rather simply to accept all cookies on a willy-nilly basis. But this simply is not an acceptable modus operandi for vast numbers of users and organizations who need convenient site-by-site cookie control. Nor is manually entering cookie exceptions into tables a practical solution on a routine basis.

I believe I originally noticed that this option had been removed from the Canary (bleeding edge development) build of Chrome sometime back. But I saw no reason to be alarmed -- not all aspects of the dev versions will necessarily find their way into stable versions.

But the beta path leads in a much straighter line to the stable releases, and sudden disappearance of this crucial cookie control feature for stable version users would likely cause a great deal of confusion and consternation in many quarters.

To be very clear about this, the current stable chrome release apparently still has this feature present. If you are a Chrome stable version user (check the About Google Chrome function to query your current version) you do not have an immediate concern, but note that updates can occur at any time automatically.

The new beta version (and I assume the "standard" dev version, though I don't have that here to check immediately) appear to now be missing the site-by-site query cookie functionality.

Right now I'm temporarily running with all cookies enabled just to get this blog posting out, but this is not a viable solution for long. I am now looking at either downgrading to Chrome stable -- for however long that continues to include the key functionality of concern -- or moving back entirely to Firefox.

Frankly, there is no good excuse for removing this feature without replacing it in an equivalent way (and at this time I know of no Chrome extension or other form of Chrome plugin that can do this -- I'd be very happy if someone could inform me otherwise).

Even given that most people probably haven't used this function, and even if using it wrong causes some users confusion -- it could have simply been moved to a somewhat "deeper" settings level (this is how Firefox has been handling this function as of late).

Site-by-site query cookie control is an extremely important capability for the users and enterprises who need to carefully control cookie use. Not having this ability can absolutely be a deal killer.

I am attempting to learn Google's intentions regarding this issue. I'll report back when I know more.

Take care, all.

--Lauren--

Update (October 1, 2010): More details regarding my concerns about this change in cookie handling (from Hacker News)

Posted by Lauren at September 30, 2010 04:46 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein