Naked Security Naked Security

NOT OK, Google! Privacy advocates take on the Chromium team and win…

Privacy advocates were unsurprisingly unimpressed that Google's Chromium project silently downloaded a proprietary add-on... ...that listened to your microphone.

An intriguing, interesting and ultimately influential privacy campaign has just this day reached a successful conclusion.

Privacy advocates aimed their open-source attitudes straight at Google’s Chromium team, stuck to their guns without any ranting (Linus Torvalds, take note!), and won a small but respectful victory.

Result!

Here’s how it all went down.

The bug report

Just over a week ago (16 June 2015), a bug report (strictly, an issue) was filed against Chromium.

Chromium, you may remember, is the open-source version of Google Chrome – the works-by-itself core of the Chrome project that you can inspect, build and use without including any of Google’s proprietary components.

In Google’s own words:

Chromium is the open-source project behind Google Chrome. We invite you to join us in our effort to help build a safer, faster, and more stable way for all Internet users to experience the web, and to create a powerful platform for developing a new generation of web applications.

The contested behaviour in Chromium boiled down to this:

  • Install Chromium (the reporter was using OS X but Chromium builds on Windows and Linux too, amongst others).
  • Run it.
  • Watch it download a binary BLOB (non-open-source lump of executable code).
  • Find out that the BLOB is responsible for listening to your microphone in case you say, “OK, Google.”

The incantation “OK, Google” is Mountain View’s trigger phrase (hotword, as it is somewhat inaccurately called) to turn on voice commands, to save you typing.

Not OK, Google

Open-source privacy advocates rather convincingly argued that this behaviour is not the sort of thing you’d expect from an open project.

Firstly, there’s the issue of automatically downloading an add-in module that you didn’t build yourself, without being asked, and without knowing what it’s for.

Secondly, there’s the issue of code that turns on your microphone without asking you first.

Thirdly, the privacy guys quickly noticed, there’s the problem that the add-in module doesn’t show up in Chromium’s add-in list.

The Google Chromium team responded quickly, but perhaps without thinking things through terribly well.

They argued, amongst other things, that:

  • The module was loaded but not actually activated, no matter how confusing that might seem.
  • Chromium is technically “not a Google product,” so what actually gets distributed is SEP. (Somebody else’s problem.)
  • Not displaying built-in or automatically-downloaded “core extensions” is considered a feature, not a bug.

Ironically, Google seemed to be saying that it considered the hotword extension to be a core part of the browser, yet it didn’t consider the fact that it was shipped as a core component to be something it should have an opinion about.

So the privacy guys kept up their position, countering that:

  • Clarity matters.
  • Opt-in is important.
  • Google could and should take a position.

Mountain or molehill?

You might think that this is a bit of a mountain out of a molehill on the point of the naysayers.

But, as so often with computer security, the devil is in the details.

Part of the purpose of Chromium is to create a browser in which trust is not only earned but also readily auditable.

Under those circumstances, it isn’t enough simply to say, “Trust us: even though that BLOB may technically be eavesdropping without being clear about it, it’s only listening out for ‘OK, Google.'”

Indeed, as one commenter pointed out, you can also say, “OK, Computer,” and although the difference may seem pedantic, it does raise the question of how you figure out what else might be going on, because it belies the original claim.

You can’t be metaphorical and precise at the same time.

→ It’s like making a statement such as “we detect 100% of all viruses without updates.” That isn’t a flexible claim, and a single counter-example will, and jolly well should, undermine it completely.

Anyway, after getting on its high horse for a bit, Google’s Chromium project climbed down onto a pony.

And after a couple of days on the pony, the Chromium guys capitulated completely, just four hours ago:

In light of this issue, we have decided to remove the hotwording component entirely from Chromium. As it is not open source, it does not belong in the open source browser.

Result!

You can still have the proprietary hotword part for free, but you’ll need to build your own version of Chromium that goes out and fetches it.

As we said at the start, “Result,” and respectfully done, too.