An intriguing, interesting and ultimately influential privacy campaign has just this day reached a successful conclusion.
Privacy advocates aimed their open-source attitudes straight at Google’s Chromium team, stuck to their guns without any ranting (Linus Torvalds, take note!), and won a small but respectful victory.
Result!
Here’s how it all went down.
The bug report
Just over a week ago (16 June 2015), a bug report (strictly, an issue) was filed against Chromium.
Chromium, you may remember, is the open-source version of Google Chrome – the works-by-itself core of the Chrome project that you can inspect, build and use without including any of Google’s proprietary components.
In Google’s own words:
Chromium is the open-source project behind Google Chrome. We invite you to join us in our effort to help build a safer, faster, and more stable way for all Internet users to experience the web, and to create a powerful platform for developing a new generation of web applications.
The contested behaviour in Chromium boiled down to this:
- Install Chromium (the reporter was using OS X but Chromium builds on Windows and Linux too, amongst others).
- Run it.
- Watch it download a binary BLOB (non-open-source lump of executable code).
- Find out that the BLOB is responsible for listening to your microphone in case you say, “OK, Google.”
The incantation “OK, Google” is Mountain View’s trigger phrase (hotword, as it is somewhat inaccurately called) to turn on voice commands, to save you typing.
Not OK, Google
Open-source privacy advocates rather convincingly argued that this behaviour is not the sort of thing you’d expect from an open project.
Firstly, there’s the issue of automatically downloading an add-in module that you didn’t build yourself, without being asked, and without knowing what it’s for.
Secondly, there’s the issue of code that turns on your microphone without asking you first.
Thirdly, the privacy guys quickly noticed, there’s the problem that the add-in module doesn’t show up in Chromium’s add-in list.
The Google Chromium team responded quickly, but perhaps without thinking things through terribly well.
They argued, amongst other things, that:
- The module was loaded but not actually activated, no matter how confusing that might seem.
- Chromium is technically “not a Google product,” so what actually gets distributed is SEP. (Somebody else’s problem.)
- Not displaying built-in or automatically-downloaded “core extensions” is considered a feature, not a bug.
Ironically, Google seemed to be saying that it considered the hotword extension to be a core part of the browser, yet it didn’t consider the fact that it was shipped as a core component to be something it should have an opinion about.
So the privacy guys kept up their position, countering that:
- Clarity matters.
- Opt-in is important.
- Google could and should take a position.
Mountain or molehill?
You might think that this is a bit of a mountain out of a molehill on the point of the naysayers.
But, as so often with computer security, the devil is in the details.
Part of the purpose of Chromium is to create a browser in which trust is not only earned but also readily auditable.
Under those circumstances, it isn’t enough simply to say, “Trust us: even though that BLOB may technically be eavesdropping without being clear about it, it’s only listening out for ‘OK, Google.'”
Indeed, as one commenter pointed out, you can also say, “OK, Computer,” and although the difference may seem pedantic, it does raise the question of how you figure out what else might be going on, because it belies the original claim.
You can’t be metaphorical and precise at the same time.
→ It’s like making a statement such as “we detect 100% of all viruses without updates.” That isn’t a flexible claim, and a single counter-example will, and jolly well should, undermine it completely.
Anyway, after getting on its high horse for a bit, Google’s Chromium project climbed down onto a pony.
And after a couple of days on the pony, the Chromium guys capitulated completely, just four hours ago:
In light of this issue, we have decided to remove the hotwording component entirely from Chromium. As it is not open source, it does not belong in the open source browser.
Result!
You can still have the proprietary hotword part for free, but you’ll need to build your own version of Chromium that goes out and fetches it.
As we said at the start, “Result,” and respectfully done, too.
Matt
It looks like they took it out and the added it right back in. The code change was reverted. Hopefully they’re working on a new way to fix this issue.
Paul Ducklin
Hmm. A yet more recent comment under the abovementioned “issue” says:
—cut here—
As of the newly-landed r335874 Chromium builds, by default, will not download this module at all.
A binary blob module like this can not be installed by a user via clicking on a link. Such a Native Client module can only be installed by the user deliberately from the Chrome Web Store.
Chromium is open source and it’s important to us, as is it is to you, that it doesn’t ship with closed-source components, lazily or not.
—cut here—
Sounds like the closed source part is back in the proprietary-parts web store, or is about to be.
So the intention seems to be honourable :-)
EG
“Open Source” being the differencwe between Siri & “OK, Google?”
If you had installed Google Chrome as a test, is there a specific way to delete it to be sure these complonents are gone?
Paul Ducklin
According to the issue thread linked to above, there are some things you can do to check up on the “OK, Google” thing.
Seems you can use a page called “chrome://voicesearch” to see what options are set.
And you can start Chrome with the command line option “–show-component-extension-options” to include the not-normally-listed components into the list.
Could you try those and let us know what you found/saw/liked/were confused by?
Daniil
About Voice Search
Google Chrome 43.0.2357.130 (m)
OS Windows 7 or Server 2008 R2 SP1 64 bit
NaCl Enabled Yes
Microphone Yes
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
Field trial Install
Start Page State No Start Page Service
Extension Id nbpagnldghgfoolbancepceaanlmhfmd
Extension Version 0.0.1.4
Extension Path C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\resources\hotword
Extension State ENABLED
Shared Module Id lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version 0.3.0.5
Shared Module Path C:\Users\…………\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg.3.0.5_0
Shared Module State ENABLED
Shared Module Platforms x86-64_
redwolfe_98
this is so maddening, in a variety of ways.. doesn’t anyone see the problem here? the google software makes your computer into a listening device where persons-unknown can eavesdrop on you conversations.. duh, doesn’t anyone see a problem with that? apparently i am the only one who thinks that that is a problem..
google keeps saying “it is disabled by default”, BUT when they say it is disabled, it is not disabled as far as eavesdropping on your conversations.. it is only “disabled” in the sense that your computer will not respond to voice-commands..
i like google.. i trust google, but they are wrong, here, in not understanding that it is wrong to eavesdrop on people’s conversations..
i am sure that google’s eavesdropping on conversations violates wiretapping laws..
Paul Ducklin
You’re pretty much saying that Google’s “hotword” module *does* conduct surveillance even when it says it doesn’t.
That’s a pretty big accusation, and doesn’t really help the argument.
The real problems are not that the module *is* eavesdropping, or even that is might be tricked into doing so because of a, bug, but that it arrived without consent, wasn’t opt-in, injected proprietary code into an overtly non-proprietary project, and didn’t report its status clearly.
By making statements about Google’s untrustworthiness that are probably untrue, and can be shown by experiments to be extremely likely to be false, you’re running the risk of creating an objection that can easily be destroyed.
I’d suggest sticking to the issues that are problematic anyway, *regardless of how good or bad the actual coding of the module might turn out to be*.
I'm not paranoid but...
Paul,
As a Chrome NOT Chromium user I am more than a little confused by this; not to mention creeped out
.
The first thing I did after downloading Chrome was go into the settings.
Under General, I UN-checked, enable “OK Google” to start a voice search. Under Privacy—Media, I checked “Do not allow sites to access your camera or microphone”.
Do these settings do not apply to Google itself?
I do have the “Google Talk” plugin (2 files) enabled that allows me to make free Canada/US calls from Gmail. Obviously that means there is access to my laptop microphone. At the bottom of the plugin is a box “Always allowed to run” which I do not have checked.
Under Flags there is this “Enable simulated hardware ‘Ok Google’ features. Chrome OSEnables an experimental version of ‘Ok Google’ hotword detection features that have a hardware dependency. #enable-hotword-hardwareSorry, this experiment is not available on your platform. (I guess I should be glad of that)
So can Google randomly listen in on my microphone or not, and do I have any control over this?
Thanks
Paul Ducklin
What does that special “chrome://voicesearch” URL say?
A previous commenter was kind enough to share his settings (see above). He reported:
Audio Capture Allowed Yes
That sounds (ha!) like the crux of the issue to me. Of course, what it means if it says “No” is another question, considering that core plugins weren’t considered worth listing as plugins when you asked, so who knows how strictly the word “No” is taken…
I guess you’ll have to call Google Chrome tech support :-)
Frank B.
Why would they install this thing on your computer and never activate it then? Of course we have no evidence of what it’s doing, because it’s a black box, but it’s quite possibly insane to assume that they just put this spyware there with no intention to ever use it.
Paul Ducklin
I think you’ll find that most applications include rare features that could be misused, and that they’re there ‘just in case.”
Russell Wilcoxon
Well Paul, this obviates the need for clarity on blobs being inserted into the devices we use. I haven’t seen any discussion on the source for this programming.
What will defend us from the predations of the NSA? This event would certainly fit the techniques of the NSA, wouldn’t it?
Paul Ducklin
The NSA is probably more interested in Chrome users :-)
Adam
I’m using Chrome 43.0.2357.130 (Official Build) m (32-bit).[Pulled from the “chrome://version” page]
“Enable ‘OK, Google’ to start a voice search” box is cleared (so, no check-mark in the box).
Here are my results from “chrome://voicesearch”
About Voice Search
Google Chrome 43.0.2357.130 (m)
OS Windows 7 or Server 2008 R2 SP1 64 bit
NaCl Enabled Yes
Microphone Yes
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
Field trial Install
Start Page State No Start Page Service
Extension Id nbpagnldghgfoolbancepceaanlmhfmd
Extension Version 0.0.1.4
Extension Path C:\Users\ahaynes7\AppData\Local\Google\Chrome\Application\43.0.2357.130\resources\hotword
Extension State ENABLED
Shared Module Id lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version 0.3.0.5
Shared Module Path C:\Users\ahaynes7\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg.3.0.5_0
Shared Module State ENABLED
Shared Module Platforms x86-64_
loadtest
I use Chrome stable latest. I’m vigilant to my privacy and have had the hotword features unchecked since they first appeared in Chrome.
The results of my chrome://voicesearch/ on Windows 8.1 x64 are:
Microphone: Yes
Audio Capture Allowed: Yes
Hotword Search Enabled: No
Always-on Hotword Search Enabled: No
Hotword Audio Logging Enabled: No
Line is 1 is true, I do have a microphone. Line 2 is creepy, and I don’t know what it means. Line 3 is accurate, as I’ve disabled those features.
Nowhere am I opting into any audio capture or allowing it, but the browser says I am.
I’ve been using other browsers (Firefox and Maxthon of all things) more often every day as Google’s insistence on violating my privacy grow. WebRTC is still a not-so-distant memory. Whether they’re more focused to my privacy, I frankly don’t know; but I’m willing to give others the benefit of the doubt that Google has intentionally given up over time with these creepy games.