Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth

Posted on Jun 18, 2015 by Rick Falkvinge
Share Tweet

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.

It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".

chrome-voicesearch

Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.

A brief explanation of the Open-source / Free-software philosophy is needed here. When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code before that operating system was built into computer-executable binary code, to make it common and open knowledge what the machine actually does instead of trusting corporate statements on what it’s supposed to be doing. Therefore, you don’t install black boxes onto a Debian or Ubuntu system; you use software repositories that have gone through this source-code audit-then-build process. Maintainers of operating systems like Debian and Ubuntu use many so-called “upstreams” of source code to build the final product.

Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.

This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.

Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.

Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places. That official statement amounted to three parts (paraphrased, of course):

1) Yes, we’re downloading and installing a wiretapping black-box to your computer. But we’re not actually activating it. We did take advantage of our position as trusted upstream to stealth-insert code into open-source software that installed this black box onto millions of computers, but we would never abuse the same trust in the same way to insert code that activates the eavesdropping-blackbox we already downloaded and installed onto your computer without your consent or knowledge. You can look at the code as it looks right now to see that the code doesn’t do this right now.

2) Yes, Chromium is bypassing the entire source code auditing process by downloading a pre-built black box onto people’s computers. But that’s not something we care about, really. We’re concerned with building Google Chrome, the product from Google. As part of that, we provide the source code for others to package if they like. Anybody who uses our code for their own purpose takes responsibility for it. When this happens in a Debian installation, it is not Google Chrome’s behavior, this is Debian Chromium’s behavior. It’s Debian’s responsibility entirely.

3) Yes, we deliberately hid this listening module from the users, but that’s because we consider this behavior to be part of the basic Google Chrome experience. We don’t want to show all modules that we install ourselves.

If you think this is an excusable and responsible statement, raise your hand now.

Now, it should be noted that this was Chromium, the open-source version of Chrome. If somebody downloads the Google product Google Chrome, as in the prepackaged binary, you don’t even get a theoretical choice. You’re already downloading a black box from a vendor. In Google Chrome, this is all included from the start.

This episode highlights the need for hard, not soft, switches to all devices – webcams, microphones – that can be used for surveillance. A software on/off switch for a webcam is no longer enough, a hard shield in front of the lens is required. A software on/off switch for a microphone is no longer enough, a physical switch that breaks its electrical connection is required. That’s how you defend against this in depth.

Of course, people were quick to downplay the alarm. “It only listens when you say ‘Ok, Google’.” (Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company stealth installs an audio listener that listens to every room in the world it can, and transmits audio data to the mothership when it encounters an unknown, possibly individually tailored, list of keywords – and it’s no big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just no. This is not something that is the slightest amount of permissible just because it’s hidden in legalese.) “It’s opt-in. It won’t really listen unless you check that box.” (Perhaps. We don’t know, Google just downloaded a black box onto my computer. And it may not be the same black box as was downloaded onto yours. )

Early last decade, privacy activists practically yelled and screamed that the NSA’s taps of various points of the Internet and telecom networks had the technical potential for enormous abuse against privacy. Everybody else dismissed those points as basically tinfoilhattery – until the Snowden files came out, and it was revealed that precisely everybody involved had abused their technical capability for invasion of privacy as far as was possible.

Perhaps it would be wise to not repeat that exact mistake. Nobody, and I really mean nobody, is to be trusted with a technical capability to listen to every room in the world, with listening profiles customizable at the identified-individual level, on the mere basis of “trust us”.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

VPN Service

Comments are closed.

235 Comments

  1. Christopher Courtney

    Nice proof. I see that you installed wireshark, watched the activity, and analyzed it to back up your claims of google spying on you.

    Oh … wait. You didn’t. Ooops.

    5 years ago
  2. Tark McCoy

    Bad Google! No browser cookie for YOU!

    5 years ago
    1. VerifyMyCaptcha

      Best comment EVER! You win everything! Cheers!

      P.S. Made me sign up for Disqus just to regale your comment!

      5 years ago
    2. Somewhat Reticent

      No need – servers track requests

      5 years ago
  3. Bobby Bill

    I uninstalled Google just now. Please keep me advised of any class-action lawsuits against them for this. Otherwise, they belong in prison.

    5 years ago
  4. Ed Snowden

    How do you turn it off… Faking Google.

    5 years ago
  5. Geekmee

    “Don’t be evil” – Google

    5 years ago
    1. HughdePayens

      Sheesh everywhere, and I mean EVERYWHERE, we look, every direction we turn, corruption…deep to the core corruption.

      5 years ago
      1. Ratchet hunt

        Only thing I’ve found is power off and pull that battery when you discuss anything you don’t want repeated or video taped also hangout is another one to get rid of jlyk RATCHET hope that helps

        4 years ago
      2. asmattersevolve

        What I want to know… and I think I already do know the answer… If people who are surprised about this hidden black box get together as a larger group and ask Google to explain what they are finding out… I believe it will lead to an interesting dialogue. The people at Google are pretty knowledgeable about things but perhaps we need to balance the privilege they have given themselves by being so “smart” with an honest to goodness red flag curiosity. of our own. I do trust google- strangely enough -but you are right to point out this self entitling behaviour and, in fact, if what they are looking for is truly a worthy thing that enables them to bring us all closer to the things we dearly want to learn and know about then we really do have an obligation to say something and not leave our faith in humanity to become a prisoner to our inability to trust others. Google has accomplished some remarkable things that can be given a positive interpration as well. If you want me to put Googles’ accomplishments into simple words, I would have to say that Google… out of its “do no evil” pledge has had an incredible… actually unimaginably significant effect on all our lives.

        It seems that being such an amazing facilitator might even justify their evolving more relaxed views on the taboos of most average people that evolved in a completely different environ. Perhaps, becoming a googlophyte or what ever you call the programmers and engineers at Google you actually become part of a group of individuals who want to change the world for the better. Maybe they will listen to us if we complain about not being included in this interesting examination of boundaries and boldness. If I was doing something kind for someone, I think I would choose to boldly believe that what I was doing is worth my going against the grain.
        In short, I would like to say that drawing attention to a black box might underline the covert tendencies of the author more than the violating nature of Google’s curiosity and that an inquiry of greater significance might be to examine the more subtle variances of mission creep evident in Google’s path of inquiry if indeed there are any.

        4 years ago
        1. Emmanuel Goldstein

          Throughout history, the greatest damage has generally been done by seemingly well-intentioned people who saw themselves as better, smarter, more moral, whatever, than the “common” people, and who believed that their superior status entitled them to evade the rules that govern everyone else. And if you can’t see the Orwellian irony in Google’s “do no evil,” then you really shouldn’t be commenting on things like this.

          3 years ago
        2. Clipart

          If you think this is an excusable and responsible statement, raise your hand now.

          3 years ago
        3. Chip Chace

          The Patriot 24/7 365.

          Talk about full of shit!! That long rambling utterance of nonsense that you just spouted. Makes about as much sense as farming for rocks. So in your mind because they have a “do no evil” statement. That they’ll never use any of that information that they pick up for something that could hurt you or people around you. The amount of information that could be covertly gathered about individuals and the people they associate with. family members and the like. Could be very easily used to Blackmail anybody. The individuals that would have access to that kind of information could very easily use it to destroy someone’s life. on a individual basis someone in a particular position and another company of any type you could take information gathered from that particular person’s private conversations and use that to your own advantage. It doesn’t have to be Google themselves but those individuals who have access to that type of private information. This is very dangerous and I believe there should be a class action lawsuit against Google so that they have to remove any type of software like this. this should cost them millions for doing this. If I were a lawyer I would start looking to pull people in and start a class action lawsuit against Google for an invasion of privacy against Millions of people. Google has just gotten too big for their own good and I believe needs to be brought down a peg or three. Anyone finding out about this should be outraged. Google has gotten too big and too powerful. Any company who has access to that much information about individuals needs to be scrutinized very very carefully. I believe a audit of their informational databases should be done. any personal information they’ve gathered without permission from that individual. Google should be fined for every individual breach of trust. A company like Google can be very dangerous to every individual. There truly is no limit to what they can do with that kind of information.

          3 years ago
        4. VeggyZ

          I wish I had the “good faith” or “naivety” to trust in something as large as google, that engages in as much censorship as google has been, because life would have a lot less stress.

          If you really believe being spied on is in our or your best interests, you’re insane. I don’t care about their accomplishments – because that doesn’t tell you a think about their intention for you or what their end goal may be. Information is a powerful thing, and information on people who are already in less power than yourself is a weapon. It means essentially, you can do whatever you want, and you have the means to stymie anyone who might disagree.

          Things like suppression of free speech and freedoms in general, and invasion of privacy, are NOT “changing the world for the better” . Not a fucking chance. And that goes for EVERYONE who is not the founder of Google or one of his immediate employees or associates.

          3 years ago
      3. VeggyZ

        What corruption? What exactly have you been listening to for the past several decades. Not only our government, but governments around the world are thoroughly corrupt and actively involved in taking power away from regular people, consolidating it, and using it to suppress rights that are inconvenient for those in positions of power – little things like freedom of speech… in fact, why don’t we just say freedom, period.

        I hope that question isn’t serious, because corruption has been a hot topic for decades, even centuries.

        3 years ago
        1. VendicarDecarian0

          Shut up, pig, and get back to work, while you have work to get back to.

          The world revolves around money and Capitalism demands that the maximum amount of money be extracted from you.

          Anything less is pure communism.

          3 years ago
          1. VeggyZ

            I don’t give a shit what capitalism demands, I work for ME, not you, or anyone else leeching off this country’s welfare system. There isn’t just choice A and choice B – the corruption is plain to see and surprise surprise, it exists in ANY form of government you could possibly use as an example.

            Maybe you should TRY working, and you’d have some perspective on all this. I’m willing to bet you don’t. “Pig” …

            Let me correct that instead of backspace. “Swine”

            If you’re really questioning the corruption they talk about in all this you’re beyond a fucking retard. That’s why I had HOPED you were being sarcastic. Evidently not. Stupid is as stupid does. By your response it’s almost impossible to gauge if you even KNOW what you think you believe in – or if you’re just pretending to have beliefs period.

            3 years ago
    2. Alastair Houghton

      No, “corporation” just means a legal person (as opposed to a natural person). Lots of things are corporations. Most small businesses, for one (and most of those are definitely NOT sociopathic).

      Oh, AND the big corporations you’re so keen on making out to be the bogeyman… they’re owned by your pension scheme (i.e. by YOU, albeit indirectly). And you can buy shares in them too, if you want to own a bit of them. Oh, and did I mention that shares generally come with voting rights? Yes, that’s right, folks, most corporations are democratic — you just have to be a member to vote.

      Now, you can certainly criticise the behaviour of companies like Google and Facebook with respect to user privacy. But lazily handwaving about huge evil megacorps of the kind Hollywood insists on (equally lazily) writing into the scripts for its blockbusters is really dumb. If anything, it causes people to disengage when really they should be making clear to their pension companies, investment fund managers and so on that they want particular issues raised with businesses whose shares they hold.

      5 years ago
      1. Gerd Steinwender

        How democratic is a system where you vote with your money?

        5 years ago
        1. Coonhound

          The word CITIZEN is now being discouraged due to the fact that it is OFFENSIVE to residents who are not citizens. Dont believe me just google Seattle + citizen…….couldn’t make this crap up if you tried. I am awaiting the mass book burning.

          5 years ago
          1. Mike D

            Consumer? That implies we consume something. Sorry but “content” cannot be consumed. No, we are not consumers, the same as we are not “content creators” that should be getting paid for our hard work of putting words online by creating this original content (these posts). We are data, we are ad revenue, we are nothing, we are slaves to be bought and sold with no say.

            4 years ago
          2. Jane Gaddin

            I agree with what you say. Although i would like to linguistically and literally debate whether or not we “consume” content.
            In any case, saying we are ad revenue is good enough.

            4 years ago
        2. Anonymous

          Why speak of democracy as if it were something laudable? The United States resembled, before the hideous Federal Reserve Act of 1913, a republic, one where the Constitution and Bill of Rights originated. Now, by way of a so called “democracy”, amendments are destroyed because it’s easier to usurp them under conditions of “democracy for all!” We need a republic.

          5 years ago
      2. roxtoto

        A corporation large enough is obligated by contract to be a psychopath: to put profit first.

        5 years ago
        1. wehl3318

          I wish we had a time machine and we could send you back to the early 1800s. It would be for the best.

          5 years ago
        2. VendicarDecarian0

          Fuck off and die, moron.

          3 years ago
          1. Alastair Houghton

            Charming.

            3 years ago
      3. Somewhat Reticent

        Corporations behave like people in groups – inherently sociopathic, which means they’re amoral – not always-evil. The challenge is to make sure they’re properly motivated to stay moral.

        5 years ago
        1. Mike Rollins

          Does this include those corporations which call themselves governments, while too often also claiming a monopoly right upon use of violence?

          5 years ago
      4. asmattersevolve

        A lot of people are hanging themselves and others on the “noose of convenience.” Most everyone is guilty of doing this but I’m not looking for people to blame. I reflect this because I want an easy way to question the effect of consumption on our choices in life. Eat apples from the tree in the very middle of the garden and

        3 years ago
    3. Clipart Basketball

      Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?

      3 years ago