Chrome update turns browsers into covert listening tools


The default behavior of hotword, a new, black-box module in Chrome (and its free/open cousin, Chromium) causes it to silently switch on your computer's microphone and send whatever it hears to Google.

Google says that hotword isn't supposed to switch on unless users enable it, but developers have documented instances in which the module triggered the mic without user intervention.

Chromium, the free/open version of Chrome, also got the module as a default update. Google blamed the package maintainers for this, saying they should not have chosen a closed module for inclusion in their version.

Falkvinge countered Google’s explanations saying: “The default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement.” He says a hardware switch to disable the microphone and camera built into most computers is needed.

Voice search functions have become an accepted feature of modern smartphones, but their movement into the home through the smart TV, and now browser, have caused concerns over the possibility of being listened to within the home.

While most services require a user to opt in, privacy advocates have questioned whether their use, which requires sending voice recordings over the internet to company servers for processing, risks unintentionally exposing private conversations held within the home.

Google eavesdropping tool installed on computers without permission [Samuel Gibbs/The Guardian]

Notable Replies

  1. At the risk of victim-blaming: don't leave an unused microphone plugged in to your PC, and don't buy some crappy all-in-one box/laptop that doesn't give you the option to physically disconnect it.

    I'd never leave a webcam plugged in and pointed at me if I wasn't in the middle of a video call. Treat audio hardware with the same caution.

  2. heng says:

    So don't buy a laptop then?

    How many laptops these days don't have microphones built in? Clearly, many have buttons to disable them, but that distinctly is not a physical disconnect - you're banking on the vendor not to ignore your button press.

  3. Yeah, that's victim-blaming. Almost every new laptop has a microphone installed, and turning it off would require the user know enough to disable it. Even disabling the microphone device in the OS isn't necessarily enough to turn the device off itself. At least with video you can physically tape over the camera.

    Nobody should be covertly installing software on your machine to take advantage of a default listening device being left open to send your private info out to some third-party hell.

  4. So a bug caused by incompatibility between modules that Debian installs alongside Chrome might turn on your microphone. Therefore, Google is spying on you.

    You know, you should really try not to turn every hyperbolic blog post you find into a super-hyperbolic content-free panic outburst. It starts to wears out your credibility after a while.

  5. This is such bad reporting. Someone looked at a bug report misreported it and it's been echoed out through the tech news without checking the original source, which is a bug report in Chromium:
    https://code.google.com/p/chromium/issues/detail?id=500922#c6

    The issue at hand is the "okay google" voice activation for a voice search in Chrome, which is still an opt-in and which is not turned on by default. However, the voice activation is proprietary code, so on Chromium it is downloaded separately silently without the user's permission. Some Linux users who used Chromium in other browsers were upset with this. Google says that this is because their main goal with Chromium is to prepare it for Chrome and that 3rd party browsers or projects using Chromium are responsible for removing this themselves. However, in a future version of Chromium they are at least making it easier for 3rd parties to quickly disable.

    That said, the Google engineer points out that the code that activates and deactivates the module is open source and so developers can clearly see when it is activated.

    Basically someone, I'm guessing who isn't a developer wrote a story about this bug report, confusing the issue between Linux users of Chromium who didn't want this hotword module downloaded without their permission and something that just listens on their own.

    On Chrome, nothing is being installed silently, "okay google" voice activation is a feature that is clearly advertised as part of Chrome and was just recently added to ChromeOS. However, as mentioned again it is currently opt-in and disabled by default.

Continue the discussion bbs.boingboing.net

33 more replies

Participants