>How is sending my personal passwords to a server under Google's control an increase in my privacy?
If this change did that, I might be inclined to agree with you. But as far as I know, it doesn't. You still have to explicitly opt in to syncing. Which is a no-op compared to the old behavior.
According to the Privacy Policy (even after the changes from this weekend) this change gives Chrome permission to upload data.
> The personal information that Chrome stores won't be sent to Google unless you choose to store that data in your Google Account by signing in to Chrome.
If what you are saying is true- and will remain true for the future- why didn't they change that language to say something like-
> The personal information that Chrome stores won't be sent to Google unless you choose to store that data in your Google Account by signing in to Chrome and enabling syncing.
Yeah I directly quoted from the privacy statement and the line I quoted is still there.
Seriously though, searched for "signed in" (like, ctrl-f). There's an epic ton of things that they are allowed to do for signed in accounts versus normal browsing even with sync disabled. These are all directly quoted from the privacy policy and do not require syncing to be enabled-
* If you are signed in to a Google site or signed in to Chrome and Google is your default search engine, searches you perform using the address bar in Chrome are stored in your Google account.
* Payments. If you are signed in to the Chrome browser and you have credit cards stored in your Google Payments Account, then Chrome will offer you the option of filling those cards into web forms. In addition, if you enter a new credit card into a web form, Chrome will offer to save your credit card and related billing information to your Google Payments account.
* Language. In order to customize your browsing experience based on languages that you prefer to read, Chrome will keep a count of the most popular languages of the sites you visited. This language preference will be sent to Google to customize your experience in Chrome. If you are signed in to Chrome, this language profile will be associated with your Google Account and, if you include Chrome history in your Google Web & App Activity, may be used to personalize your experience in other Google products. View Activity Controls.
> * If you are signed in to a Google site or signed in to Chrome and Google is your default search engine, searches you perform using the address bar in Chrome are stored in your Google account.
Note the "or". If you're signed into Google and you do a Google search, that's stored in your account by default. The only reason signing into Chrome is relevant is that that also signs you into Google.
> * Payments. If you are signed in to the Chrome browser and you have credit cards stored in your Google Payments Account, then Chrome will offer you the option of filling those cards into web forms. In addition, if you enter a new credit card into a web form, Chrome will offer to save your credit card and related billing information to your Google Payments account.
This doesn't suggest any data being sent to Google unless you accept the offer to save a card to your Google Payments account.
> * Language. In order to customize your browsing experience based on languages that you prefer to read, Chrome will keep a count of the most popular languages of the sites you visited. This language preference will be sent to Google to customize your experience in Chrome. If you are signed in to Chrome, this language profile will be associated with your Google Account and, if you include Chrome history in your Google Web & App Activity, may be used to personalize your experience in other Google products. View Activity Controls.
Okay, this is one actual example of signing in causing more data to be sent to Google than would happen otherwise. It seems pretty benign, though.
I don't think you're parsing that first one correctly. Here it is with one of the two principles removed-
> > * If you are signed in to Chrome and Google is your default search engine, searches you perform using the address bar in Chrome are stored in your Google account.
If you are signed into the browser but aren't signed into Google this states it will still save your search query.
Look in the OP for the phrase "Mistaken synchronisation". You'll land at a section where he verified the steps by which a confused user could easily turn on synchronization without understanding that they had done so.
Note that I explicitly mentioned this as the one consideration that was mildly convincing:
>I think I've seen exactly one potentially compelling argument, which is that it may now be easier to accidentally enable syncing when you don't want to, since its a single click instead of entering a password.
Personally, though, (and I want to highlight that this is just my opinion as a person) I don't think it's a regression. But I can understand why others might disagree. From what I've read, the old behavior was that logging in enabled syncing by default. So accidentally logging in would immediately sync things.
I've certainly made the mistake of logging into the wrong account in the wrong chrome window, so I could absolutely see a user making the same mistake previously.
But even if you disagree, I think "you can synchronize by mistake, so they should add a confirmation dialogue" (which is a change I would support!) puts this firmly into the realm of imperfect UX and not an attack on privacy that should be totally rolled back.
And the aggravating (and potentially harmful) thing is that we can't even approach the discussion of "should we add a confirmation box", which would address the UX issue, if the accusation is that it's an attack on privacy. First we have to have this long tiring discussion where people throw around words like "Orwellian" and "GDPR" and we get to the reality that people are complaining about a whole host of not-really-harmful things, and that the one actually-maybe-harmful thing is a confirmation dialogue.
And yet as a employee of Google the question that you should be concerned with is how this impacts you. Given that GDPR was explicitly intended to punish big American companies for violating the privacy of Europeans, you should read the GDPR carefully from the point of view of, "Would the people who wrote this intend for my employer to get hit by my behavior?"
For a cautionary note, consider carefully how Microsoft got away with losing antitrust lawsuit after antitrust lawsuit and laughing about the consequences...until the EU decided to raise the stakes on them. And then read https://www.cnbc.com/2017/06/27/the-largest-fines-dished-out... to remind yourself how the EU thinks of Google.
Now I personally am opposed to the EU approach. (The upcoming copyright laws are particularly worrisome to me.) But at some point Google is going to need to leave the EU, or else to follow EU law. I don't believe that Google is willing to exit the EU. In which case you should really be worried about parts of Google that are putting the whole company at risk by violating EU law. No matter what you, personally, think of said EU laws.
If this change did that, I might be inclined to agree with you. But as far as I know, it doesn't. You still have to explicitly opt in to syncing. Which is a no-op compared to the old behavior.