Chrome update turns browsers into covert listening tools


#1

[Read the post]


#2

At the risk of victim-blaming: don’t leave an unused microphone plugged in to your PC, and don’t buy some crappy all-in-one box/laptop that doesn’t give you the option to physically disconnect it.

I’d never leave a webcam plugged in and pointed at me if I wasn’t in the middle of a video call. Treat audio hardware with the same caution.


#3

So don’t buy a laptop then?

How many laptops these days don’t have microphones built in? Clearly, many have buttons to disable them, but that distinctly is not a physical disconnect - you’re banking on the vendor not to ignore your button press.


#4

I agree. Don’t buy a laptop.


#5

Yeah, that’s victim-blaming. Almost every new laptop has a microphone installed, and turning it off would require the user know enough to disable it. Even disabling the microphone device in the OS isn’t necessarily enough to turn the device off itself. At least with video you can physically tape over the camera.

Nobody should be covertly installing software on your machine to take advantage of a default listening device being left open to send your private info out to some third-party hell.


#6

So a bug caused by incompatibility between modules that Debian installs alongside Chrome might turn on your microphone. Therefore, Google is spying on you.

You know, you should really try not to turn every hyperbolic blog post you find into a super-hyperbolic content-free panic outburst. It starts to wears out your credibility after a while.


#7

This is such bad reporting. Someone looked at a bug report misreported it and it’s been echoed out through the tech news without checking the original source, which is a bug report in Chromium:
https://code.google.com/p/chromium/issues/detail?id=500922#c6

The issue at hand is the “okay google” voice activation for a voice search in Chrome, which is still an opt-in and which is not turned on by default. However, the voice activation is proprietary code, so on Chromium it is downloaded separately silently without the user’s permission. Some Linux users who used Chromium in other browsers were upset with this. Google says that this is because their main goal with Chromium is to prepare it for Chrome and that 3rd party browsers or projects using Chromium are responsible for removing this themselves. However, in a future version of Chromium they are at least making it easier for 3rd parties to quickly disable.

That said, the Google engineer points out that the code that activates and deactivates the module is open source and so developers can clearly see when it is activated.

Basically someone, I’m guessing who isn’t a developer wrote a story about this bug report, confusing the issue between Linux users of Chromium who didn’t want this hotword module downloaded without their permission and something that just listens on their own.

On Chrome, nothing is being installed silently, “okay google” voice activation is a feature that is clearly advertised as part of Chrome and was just recently added to ChromeOS. However, as mentioned again it is currently opt-in and disabled by default.


#8

A seriously ridiculous statement. No software manufacturer should abuse its customer’s trust like this. I understand that Chrome has the ability to turn on microphones and send recordings to itself to handle things like voice search, but this should be an opt-in functionality, not an opt-out one and without an opt-in Chrome should not ever turn on your microphone.

Also, saying “this is just a bug” might be technically true, but this doesn’t change the fact that recordings of your household goings-ons end up on some server you have no direct access to or control over. Google might keep that data, analyse it to “improve its service”, actively listen to it, hand it over to third parties, etc. all without your consent or knowledge.

Obviously, the best solution to this would be to outfit devices with a hardware switch to switch the microphone and camera on and off.


#9

Seriously poor reporting here. Nothing in the Guardian article implies Google Chrome is displaying the bad behaviour people are seeing in Chromium on Debian boxes, but the opening sentence of this BB point calls out Google Chrome. Get your facts right, people.


#10

that’s not victim blaming. That’s manufacturer excusing and self aggrandizing. Zero victims blamed, your superiority is evident. :wink:


#11

So it’s too early to smack Google with a DMCA violation? Because I think a few dozen of those could clear this problem right up, if it was real.


#12

Three things worth mentioning:

(a) The feature is not enabled by default; it has to be explicitly enabled in chrome://settings
(b) Numerous people have completely misconstrued the output of a Chrome status page to claim that this is on by default; when in fact it’s not.
© There was a mistake on behalf of the Chromium package builders which included this (non-OSS) module by default; that has now been rectified.
(d) Cory’s headline is complete hyperbole, and very distant from the actual situation.

As has already been posted, the thread at https://code.google.com/p/chromium/issues/detail?id=500922 gives a far more accurate account of what’s happened than Falkvinge’s article.


#13


#14

Wouldn’t it be a wiretapping violation?


#15

I use Chrome and didn’t know it could do voice search. How do I use it?


#16

Oh I know but it would be much more fun to see them hoist by their own petard.


#17

If this was real you would be able to easy check your network connection to see if Chrome was pulling in audio data and sending it to Google, especially as audio data tends not to be very small. You could even enable “OK Google” and do a voice search to see an example of that data. Then turn it off and see if it happens again while Chrome is running.

Also as previously mentioned the more developer related option, you can look at the open source of Chromium and look at the code that enables and disables the hotword module. Basically what happens when you turn on and off the “OK Google” voice search.

Why isn’t this chunk of code open source like the rest of Chromium? I’m guessing Google doesn’t want another competitor to get the code that activates on a specific hotword, in this case “OK Google”. As I’m guessing it does a good amount of work is done locally without hitting Google servers. Then only when the keyword is discovered does it send everything from the microphone to Google’s servers.


#18

In Chrome open up your settings, go to the Search section and check off ‘Enable “OK Google” to start a voice search’.


#19

Not a very bright idea. US tech companies were caught in bed with spy agencies in the past (PRISM). Apart from USians that have a cloudy “…but we’re the good guys” self delusion the rest of the planet already sees Google, Apple, MS etc as slightly suspicious at best and as fifth column at worst.


#20

I thought BB was maintained by generally tech savvy people not prone to misinformation and panic? I guess I was wrong.