NaCl Enabled Yes
Microphone Yes
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
I metaphorically did. Then I closed Chrome and tabbed back to my Firefox window.
This feels like I had an Amazon Echo dropped by my house, plugged in, and then shoved behind a book on the shelf so that I wouldn't see it. Ethics be damned.
FYI I'm running Chrome 43.0.x on OS X 10.10.3 and Enable "Ok Google" is disabled under chrome://settings. I don't remember ever enabling it, so this behavior is correct.
I have never had the "OK Google" voice search option enabled and chrome://voicesearch/ shown below. I deleted the hotword file specified as the extension path and also `rm rf` directories under the "Extensions/lccekmodgklaepjeofjdjpbminllajkg" specified as the Shared Module path. I also changed owner of the directory "lccekmodgklaepjeofjdjpbminllajkg" to root and the permission to read only. After restarting chrome, the extension/module still shows up in the chrome://voicesearch/ and Enabled in the chrome://extensions/ when --show-component-extension-options is used. Further, chrome://extensions/ shows "Hotword triggering" as allowed in Incognito Mode. Unchecking the box is automatically re-enabled.
Google Chrome 43.0.2357.124 ()
OS Mac OS X
NaCl Enabled Yes
Microphone Yes
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
Field trial Install
Start Page State No Start Page Service
Extension Id nbpagnldghgfoolbancepceaanlmhfmd
Extension Version 0.0.1.4
Extension Path /Applications/Google Chrome.app/Contents/Versions/43.0.2357.124/Google Chrome Framework.framework/Resources/hotword
Extension State ENABLED
Shared Module Id lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version 0.3.0.5
Shared Module Path <user path redacted>/Application Support/Google/Chrome/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
Shared Module State ENABLED
This is pretty funny. He complains that Chromium managed to "bypass this audit-then-build process", by downloading stuff afterwards, while ignoring that this happening already shows that the audit process is completely useless since it failed to recognize and reject the code that would do this.
The audit process assumes the upstream maintainers aren't malicious actors attempting to actively bypass the process:
> After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts downloading
"Chrome Hotword Shared Module" extension, which contains a binary without
source code. There seems no opt-out config.
They don't have the resources to do a full audit on all the packages:
> Due to the sheer size of the current Debian release it is infeasible for a small team to be able to audit all the packages, so there is a system of prioritizing packages which are more security sensitive.
I wonder if European Commission would be interested in adding this to their investigation, couple of hundred million dollars should be enough penalty for violating users privacy.
I agree with the sentiment, but I don't think a competition investigation is the appropriate forum to deal with this. There should be a fine, perhaps through a class action or criminal conviction.
I certainly hope the penalty for illegally wiretapping hundreds of millions of people is more than $1 per head. I value the privacy of my conversations (and life) way more than that.
Besides, if I opt-in to this service, why should everyone who ever walks into my home or office be presumed to have made the same choice? What if I am a doctor or lawyer who is not legally allowed to make that choice?
Can we stop with the witch hunts and the desire to maim folks over minor infractions like this?
Consider that you're one of the developers that wrote this feature. You try very hard to make sure your users privacy rights are respected. Normally your work is strong and you catch all of the corner cases, but this one you missed. You've fixed it upstream, but folks are demanding 5% of the company's bottom line because of a mistake /you/ made. The code isn't even used unless the user ticks a box to turn it on in the first place, which is even verifiable with a cursory use of system monitoring tools like fuser, lsof, etc.
You've been marked as costing a company a major stake of their income. You'll likely never live that down.
If you don't like the company's behavior, /don't use the software/. Simple, clean, and effective in large numbers -- more so than regulation action. Chromium is an open source first browser, we as a community actually have a hand in its development. If you don't like this, fix it.
Massive security risk to the user and anyone around them. That's a dangerous and unsafe product which absolutely should be regulated as it can endanger the public interest. At least it's a good thing these innocent developers aren't writing software for planes I guess.
This is not a minor infraction, nor is it the work of a handful developers (the GP said Google, not Chromium). This is a business decision, and a hugely flawed one at that.
IMNSHO, user-hostile business decisions should be fined in a way that does impact the business. We've long since passed the point where this can be resolved with a slap on the wrist. So yes, 5% of revenue seems like an appropriate figure to start with.
By fining the business you will directly affect whether or not Chromium continues to exist if at all, because it then becomes more of a liability than an asset to the company.
After working there for eight years, I can confirm the contrary of this statement. Google cares very much about user privacy -- the engineers doing the work even more so. The quote from one of their SREs swearing about the Snowden revelations was drop dead true, and engineers there have been working /very/ hard to fix issues like this.
Google does not operate like Apple -- there are many hands at the tiller, and the ship moves in almost arbitrary directions at times. Situations like this do come up, and they are most of the time honest mistakes or oversights.
Google cares very much about other actors violating user privacy. Not quite the same amount of "caring" if the violations are being done by Google itself.
The extension is only used by voice search. If voice search is disabled, the extension isn't used by anything.
A mountain is being made out of this molehill. If the extension was only downloaded at the time that the option was enabled by the user, nobody would care. Instead, they chose to have the extension always available and as a result people are having paranoid over-reactions.
I think this is the last straw for me : enough is enough.
I need to sit and reflect a bit on this, but I'm contemplating abandoning every bit of non free software I currently use (and there's a lot of it since I'm using Windows and Android).
postgres, python, inkscape, XFCE, various shells, GTK, Qt, even libreoffice (which has gone through astounding refactoring), vim, emacs, apache, nginx.
That's a good point. Maybe it is a matter of perspective: none of those are consumer programs, they are developer tools. (Except libreoffice, but that has had its problems.)
So you could argue that they are not all that user friendly.
> Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with.
They are user friendly they just represent the usages of the type of user using them.
This is something I see said a lot, constraining an interface to your average completely new user who knows nothing makes it very difficult to have that interface adequately serve people with more experience, you load up the benefit on the front side and trash the backside in response - that said some powerful interfaces are just objectively bad but the tools utility overrides that.
user friendly - designed to aid the user in doing whatever task they are doing.
The software for making a photo collage for Grandma and the software for controlling replication across a hundred database nodes can be radically different and still be user friendly.
Lots of software tends to assume that the user is a new user but the problem then is that a new user rapidly becomes a not-new user and those things that helped initially now hamper productivity (cough Clippy cough).
I'm not saying everyone should have a Symbolics terminal and that requiring lisp knowledge should be mandatory so much as lots of people say open source isn't "user friendly" when what they mean is it's not particularly friendly to new/inexperience users coming from outside.
http://rippedwire.sourceforge.net/images/hbgtk-video.jpg for example, to a new user that is very unfriendly but if you use it frequently and or understand what you are trying to do that kind of no-nonsense interface is user friendly.
The other day, on OS X, I happened to start a new copy of Firefox in an account that had parental controls enabled (such as Guest user by default). It was a real eye-opener.
Parental controls alerts anytime an https connection is initiated. Basically it was impossible to keep Firefox from immediately initiating quite a number of these. I frantically tried to uncheck all the relevant preferences I could (e.g. "Block reported web forgeries").
I failed. Firefox still insisted on phoning home (maybe I missed something?). Also, it was hard to even make progress. The parental controls popup takes focus and demands an administrator's approval to proceed. By the time I could dismiss the popup, Firefox tried to phone home again and a new popup appeared.
Sheesh.
Here are just some of the sites that Firefox immediately accesses:
What I'm saying is that microphone access is just a very small portion of what's happening. Basically all these browsers are shipping vast amounts of our intimate browsing details to "the cloud".
I think we're all missing the point of the article.
The author isn't claiming that free software is immune to this either (think about the flaw hiding in plain sight in OpenSSH for years). The author is saying that if you want to protect yourself from image / audio capture without your consent, make sure you can physically deactivate those features on your hardware in a way that software cannot physically re-activate them, i.e. mechanical switches.
Has anyone actually confirmed that Chrome is continuously sending audio back to Google? I highly doubt that this is the case. Instead, the plug in knows how to recognize "OK Google" all by itself. Once activated, then it starts sending audio data.
IF it where really listening even when inactive, then people would be complaining about it sucking up bandwidth and data allotments.
I was thinking something similar... that would be a LOT of data being sent back continuously while Chrome was running, which for many people is 24/7. If you had an office of Chrome users the entire office pipe could be eaten up by what is essentially X number continuous VOIP calls.
Right. There's no way this would go unnoticed on any enterprise or government network, and once noticed it would end the use Chrome in those environments. In fact it would have unimaginably huge consequences. It would mean huge numbers of CEOs and government officials in all countries where being bugged, all dependent on Google securely keeping millions of audio streams private. This doesn't pass the giggle test.
Regardless, the black box aspect means this can be targeted to high value individuals and could even be limited to their home or mobile networks. Then again, it's somewhat irrelevant since all sysadmins are already legally owned by security services and sworn to secrecy by the current legal frameworks, no cloak and dagger required. And it would be hard to believe that any competent foreign intelligence org hadn't fully infested such juicy targets as google and high value corporate networks long ago.
There's an old rule that you shouldn't write down anything you wouldn't want to hear read out in a court of law. Same goes for online, and now for when you are in the vicinity of a mobile device.
First of all, they need to send only data when there is something to listen, so above a specific threshold. They can also compress the data. Second, I'm sure that if Google can handle traffic that's generated by youtube they can handle voip traffic.
In theory, that's only true if the user has given permission for some remotely-accessible application to activate it. In practice, the NSA almost certainly has ways to accomplish it, but that doesn't mean we should make it trivial.
If compelling Google into changing their software to allow it to record audio for the NSA is trivial so is compelling Microsoft/Apple into changing their OS to allow the NSA to record audio. Chrome doesn't change things if the NSA is willing to make its objectives known to software vendors.
The FBI have activated the microphone of a feature phone in an organized crime case. The phone wasn't on a call, but the mic was activated, evidence was gathered, and was used in trial.
It's interesting to note that the mic can be activated with the cell phone "turned off", as some models at the time didn't fully shut down even being powered down.
Is that a valid argument for every phone being able to have this capability? Accomplishing this on computer either requires informed consent or some kind of malware/backdoor. On Google Android it's a feature.
This happened 12 years ago when the FBI tried to eavesdrop on conversations taking place in a car with OnStar or a similar device. Agents wanted to remotely activate the car's microphone; I wrote about the case here: http://news.cnet.com/Court-to-FBI-No-spying-on-in-car-comput...
The 9th Circuit said "no," but the court's reasoning wasn't based on privacy concerns. The reasoning was that companies can only be forced to comply with wiretaps when the order would cause a "minimum of interference" (and the FBI's tap would have disabled the call-an-operator feature if there were an emergency, which exceeded the "minimum of interference" threshold).
This is not unique to Google, which has done a better job than just about any company I can think of at fighting off overly broad surveillance demands; see my post from two years ago for examples: https://news.ycombinator.com/item?id=5725899
Why could Apple, Microsoft, or Samsung not be compelled -- let's assume an actual court order exists -- to deliver a software update to a specific user that allows FBI agents remote access to that device microphone? Or AT&T? Or Verizon? We know from recent history that AT&T is hardly likely to put up a fight.
I wrote more about the outer limits of the Feds' surveillance authority here: http://www.cnet.com/news/how-the-u-s-forces-net-firms-to-coo... Excerpt: "Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks..." And earlier: "In 1977, the U.S. Supreme Court ruled that surveillance law is a "direct command to federal courts to compel, upon request, any assistance necessary to accomplish an electronic interception..."
In terms of a hierarchy of privacy protection, I trust technology > courts > Congress > DOJ oversight > FBI.
I just tried the feature out on my windows pc with chrome, and chrome only reacts to ok google when you have a new, empty tab, or the google search page open and active as the main tab. Additionally i checked with procmon what network activity chrome was making, and while it starts sending stuff AFTER "ok google" is activated, it doesn't send any between me saying it and chrome confirming it.
The theory that it's a small local plugin is also affirmed by the fact that my cellphone can do "ok google" without any sort of network, and is sometimes tricked into activating by audiobooks that make noises completely unlike "ok google".
It's not about consistently being bugged though--I see two troubling implications to this;
a) Government A decides target B has valuable communications, and uses this audio capture functionality as an attack vector (ie, a MiTM server modifies the chrome binary blob request slightly to a version where chunked audio is sent back to a control server).
b) (more likely) This binary blob contains a voice recognition algorithm, which can of course detect the phrase "ok, google." Imagine they wanted to detect other phrases, like "drugs" or "travel." Small modifications could easily allow an arbitrary list of "hot" terms to be targeted. Then no audio is even sent back from the user's computer--a small flag in your google account is simply set attaching your profile to "high risk" terms overheard, and databased, where it could later be queried by law enforcement.
It's troubling because there's no transparency, and if you spend a little time brainstorming about the ways this could be used maliciously (most likely by a nation-state) there are many possibilities...
This is true of any auto-updating software, including your operating system and all evergreen browsers.
The problem with this blog post is that the author gets in a tizzy about what could happen, not what is actually happening. What could happen has not been affected by the recent Chromium screw-up, nor is it specific to Chromium.
That's not really a problem; it's a feature. The author is pointing out the significance of defense-in-depth to protect against the scenarios that can happen in light of what has happened.
Except Chromium as a framework is in an interesting position... and I think the threat is not even in how this could be used with malicious intent, but rather how easy it allows for indiscriminate passive logging on a grand scale.
Chrome is a very widely-distributed piece of trusted, self-updating software. It's also (for most users) directly connected to your google account--which is in many ways an intimate mirror to your identity.
You're absolutely right that this issue is not unique to Chrome, and can (and does) arise in any piece of software from native OSes & apps to 3rd party binaries.
I also think Chrome specifically warrants added concern for its ubiquity and de-facto link to your identity.
Anyone can use these techniques to target an individual, network, or system, but Chrome is one of the most widely distributed pieces of software designed with analytics in mind, from a company known for designing algorithms to improve contextual awareness.
What that means is, it's uniquely trivial to add in a few vectors of phonemes to recognize certain words/phrases, flip on an analytics pixel, and instantly have 100's of millions of devices running chrome associate their linked google accounts with this word/phrase.
In this case, either the speech-recognition feature being included in the chromium source (and not as a raw network-reconciled binary), or else have the feature be opt-in, not enabled by default.
c) (even more likely) The algorithm released in the blob is much simpler than the one locked in their servers, and it has many false positives. The audio from false positives is archived to help improve the simplistic algorithm.
It can definitely detect OK Google on its own, here's what it looks like when you say "OK Google" when not connected to the internet (and it only shows up after saying it):
> How else would it know when to respond to an "ok, google" audio cue?
Because you open a new tab or you go to the search bar and then starts to listen IF you have activated that option?
"Ok Google" only works on a new tab page. Look at the microphone icon in the search box to see whether it’s listening for the phrase "Ok Google" or not:
The problem is that it cannot perfectly recognize "OK Google". There are going to be false positives, things that sound like "OK Google" to the plugin, but are not "OK Google". And it will send those recordings, plus what said after them, to Google servers.
More importantly, the plugin does not even run unless you opt in to hotwording (by checking the check box in settings). The open source Chromium code makes sure of this. So you do not need to take our word for it.
Furthermore, you are right that if you turn on the "Ok Google" setting, the plugin will start listening to your microphone, but will not send audio to Google servers unless it hears an "Ok Google".
How does he know Chrome is transmitting ALL conversations that it hears? His arguments aren't valid:
"(Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’)"
This could easily be achieved offline.
The same argument could be made for Siri, a wiretapping device which you carry with you all the time. In fact wiretapping your phone would be much more effective then wiretapping a computer browser application.
Before making such accusations he should present some solid data, like network traffic from an idle chrome application during conversations (with and without saying "Okay Google"). If an idle chrome application was always transmitting data to google, he would have a solid argument.
In the U.S., implementation of a wiretapping scheme like this would be a significant civil and criminal violation. Google is already under a FTC consent degree for privacy violations, which would make it doubly egregious. So I'll give Google the benefit of the doubt - and assume there are privacy-protective mechanisms designed in to the system.
In the age of ambient technology, where anything can be recorded, the onus is now on developers to create systems that internally suppress mass privacy violation. The "Privacy by Design" approach (disclosure, I have an evangelist of PbD) can provide solid guidance as to how to build privacy-protective mechanisms (e.g. data minimization, data scrubbing) into ambient technologies.
It also happens to my android-using friends. I've become convinced that Android phones are listening all the time so that they can figure out what we're about to search for and what to advertise to us.
Given that this has been my (admittedly anecdotal) experience with Android, I wouldn't be surprised at all if Google was trying to take this type of thing to the desktop with Chrome.
I love Google and have historically just not cared about my privacy as far as they're concerned, but I'm getting more creeped out as this kind of stuff becomes more pervasive.
Nope, I have no proof, and of course I'd be happy to learn that they aren't listening. I just hypothesize that they are based on my experience, but I've not tried to test it in any systematic way.
That's presuming it just doesn't cue up a text or audio[1] log on the device and upload it to Google the next time it's on wi-fi and plugged into a charger.
</tinfoil>
1. 4khz mono audio is sufficient for human voice recognition and tiny in terms of storage.
Targeted advertising is actually quite good at separating you the person from you your marketing footprint. Unfortunately, the ways it does this are hard to explain, but let me give an example.
A friend of mine was convinced that Google was data-mining his Gmail because it recommended a flight on a related search atop the dates he was considering visiting a friend (if I recall correctly, he looked up driving directions and Google suggested "You could get there faster if you took <FLIGHT> on <EXACT DATE HE AND HIS FRIEND HAD BEEN TALKING ABOUT FLYING>").
I punched in the same directions as him in an incognito browser session and... Got the same flight suggestion. Then I looked at the nearby flights and found that the suggested one was really just the cheapest one that week. Turns out his friend and he were planning to meet on a day they happened to be free... Because it was near a holiday, so a lot of people were free, so airlines factored that into their pricing model, so Google recommended a flight because it was a popular flight that a lot of people wanted to take between those two destination points.
It's far, far more likely that targeted advertising is working because we are not the special snowflakes we believe ourselves to be. The correlation algorithms can guess a lot from a few data points when they have billions of correlations to sort through.
You might not have entered your old friends in your computer ever but they might have entered you. Just "invert" this relation and its quite reasonable to assume you know them also. Still spooky though.
I want my desktop operating system to offer fairly fine-grained control of permissions I selectively grant to processes/applications. I would like the ability to easily revoke Chrome's ability to use my audio inputs, and then—if the use case comes up, such as a WebRTC conference—I can grant permission either on a one-time basis or until I revoke. This would be the operating system controlling the application's capability.
I'm guessing a rough approximation is possible on some operating systems. Given the sprawling management infrastructure in Windows, I wouldn't be surprised if it has some "policy" framework in place that allows devices to be declared off-limits at a process granularity. The missing piece, then, is a viable user interface on top of that.
I'm not asking for something akin to the simplified permissions model of mainstream sandboxed mobile operating systems. Not set-and-forget; and certainly not all-or-nothing ("accept these required permissions or don't install the app.") Rather, something quite a bit finer grained and with the necessary infrastructure to have the OS prompt for privileged access if the application wants something I've disallowed, in a manner akin to Windows UAC prompts for admin credentials.
Imagine starting Chrome one day to have your operating system prompt you, "Chrome would like access to audio input 1 (microphone). Allow for now, permanently, or deny?"
Okay, I'm going to put on my tin foil hat for a bit here.
Think of the corporate boardrooms with Chromebox for meetings, listening in even when not actively used for meetings. An exec at the Better Business Bureau [0] who chose Chromebox because they were excited to, "[reduce] the time [they spend] ... worrying about security concerns," is discussing the growing complaints the BBB has received about a competitor to a company owned by Google. He says, "Ok, Google owns their primary competitor, and they may have insight to offer us."
Wait, that's just my tin foil beanie. Let me put on the tin foil balaclava.
The U.S. Department of State [1] is in an all-hands-on-deck crisis meeting over a deeply divisive political situation involving a first-world ally. Chrome is updated with the eavesdropping feature (remember, it's just my tin foil that's making me choose that word, I know it's hyperbole), and it's already been "deployed to production immediately, bypassing cumbersome testing." Someone in the meeting says, "OK, Google News has been trending a lot of stories about this issue." Sensitive things are then said about this ally, things that are now being heard by an enemy of the state, because they were able to use their previously embedded network sniffers to capture and forward interesting network traffic.
It's frightening that a feature is enabled by default, and difficult to disable, that could capture sensitive conversations without the knowledge of the parties speaking because they innocently started a sentence with, "OK, Google." Certainly this violates wiretapping laws?
Let's pile on. Hospitals and medical centers are using this too, according to the Chrome for Work pages. A doctor says, "Ok, Google had a lot of results about new HLA-B27 research," when discussing a patient's arthritic concerns, while proceeding to outline the patient's symptoms and how treatment should proceed and now we're looking at a potential HIPAA Privacy Rule violation.
As I type this, I look over at my Amazon Echo, and I'm reminded of something I heard once. If you're not paying, you're not the customer, you're the product. Is that hypocritical of me to accept my Amazon Echo but not the behavior of Google Chrome?
My only audio recording device is my webcam and it is incapable of being in use without the light being on as far as I am aware. So how would it send them audio data without the audio device realize it is being used?
I take the view that anything under software control or the control of a chip I can't open is suspect, I've taped the webcam on laptops and physically disconnected built in microphones (I use a headset, built in ones suck).
I'm not really happy about my Nexus 4 at all either, I think my next phone will be a dumb mobile.
The sad thing is that I try to avoid paranoia with this stuff but the threat landscape is so large it's practically a full time job staying up to date with whats going on.
It's irrelevant to the argument. The author is making an appeal to the slippery slope (even if it's not happening right now, and even if Google is not doing it.... It could easily happen tomorrow and anyone could do it. Shutter your cameras and make sure your microphones can be physically deactivated).
google phones (nexuses) pretty much turn it on as u hit next next next on install
thats actually pretty similar the chrome
tvs also warn you usually - but nontech ppl dont notice. next next.
Physical switches are the most common point of mechanical failure. It translates to real-world lost revenue in terms of returns and repairs to include them at all.
While acceptable for most paranoid users, the indicator light isn't as secure as a physical switch. For some devices (most notably 2007/2008 era MacBooks) the controller can be manipulated to enable the camera without giving any visual indication via the light.
Yeah but what if the physical switch gets manipulated? I think if you're that paranoid you need to keep your macbook in a vacuum so it can't pick up any sound.
Same for wifi, camera and speakers. Preferably a real physical lid for the camera, the switches are in most cases just connected to an io pin and could potentially be overridden. Even if they are not its just very discomforting to have a camera constantly pointing at you, I feel weird when i see a lens even when I know the power is totally cut.
For speakers it has happened to me a few times that something has started to play loud sounds and I can not mute it because windows is locked up somehow or im in fullscreen or whatever.
> When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code
If this was true, Debian would have not build/release this version of Chromium. The author is living in the past or in another dimension. Some projects are complex, and it's hard/impossible to read/understand everything for a single human being.
123 comments
[ 4.1 ms ] story [ 187 ms ] threadWhat now?
If you're runnning Google Chrome: Weep.
I metaphorically did. Then I closed Chrome and tabbed back to my Firefox window.
This feels like I had an Amazon Echo dropped by my house, plugged in, and then shoved behind a book on the shelf so that I wouldn't see it. Ethics be damned.
Uncheck: Enable "Ok Google" to start a voice search.
NaCl Enabled Yes Microphone Yes Audio Capture Allowed Yes
In Settings my 'Ok Google' is (and was) unchecked. What gives?
From chrome://voicesearch/:
NaCl Enabled Yes
Microphone Yes
Audio Capture Allowed Yes
From chrome://settings/ under the Search heading, "Enable 'Ok Google' to start a voice search" is unchecked and has always been unchecked.
There's a TSA joke somewhere in this.
> After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config.
They don't have the resources to do a full audit on all the packages:
https://www.debian.org/security/audit/
> Due to the sheer size of the current Debian release it is infeasible for a small team to be able to audit all the packages, so there is a system of prioritizing packages which are more security sensitive.
I certainly hope the penalty for illegally wiretapping hundreds of millions of people is more than $1 per head. I value the privacy of my conversations (and life) way more than that.
Besides, if I opt-in to this service, why should everyone who ever walks into my home or office be presumed to have made the same choice? What if I am a doctor or lawyer who is not legally allowed to make that choice?
Consider that you're one of the developers that wrote this feature. You try very hard to make sure your users privacy rights are respected. Normally your work is strong and you catch all of the corner cases, but this one you missed. You've fixed it upstream, but folks are demanding 5% of the company's bottom line because of a mistake /you/ made. The code isn't even used unless the user ticks a box to turn it on in the first place, which is even verifiable with a cursory use of system monitoring tools like fuser, lsof, etc.
You've been marked as costing a company a major stake of their income. You'll likely never live that down.
If you don't like the company's behavior, /don't use the software/. Simple, clean, and effective in large numbers -- more so than regulation action. Chromium is an open source first browser, we as a community actually have a hand in its development. If you don't like this, fix it.
By that reasoning, tobacco and asbestos shouldn't be regulated
IMNSHO, user-hostile business decisions should be fined in a way that does impact the business. We've long since passed the point where this can be resolved with a slap on the wrist. So yes, 5% of revenue seems like an appropriate figure to start with.
Surely a developer working for Google knows that user privacy is not a priority for the company?
Google does not operate like Apple -- there are many hands at the tiller, and the ship moves in almost arbitrary directions at times. Situations like this do come up, and they are most of the time honest mistakes or oversights.
Google cares very much about other actors violating user privacy. Not quite the same amount of "caring" if the violations are being done by Google itself.
A mountain is being made out of this molehill. If the extension was only downloaded at the time that the option was enabled by the user, nobody would care. Instead, they chose to have the extension always available and as a result people are having paranoid over-reactions.
edit:
This might work
http://www.chromium.org/administrators/policy-list-3#AudioCa...
I need to sit and reflect a bit on this, but I'm contemplating abandoning every bit of non free software I currently use (and there's a lot of it since I'm using Windows and Android).
Libre, high quality, and user friendly. Pick two.
I don't think there is a rule.
So you could argue that they are not all that user friendly.
They are user friendly they just represent the usages of the type of user using them.
This is something I see said a lot, constraining an interface to your average completely new user who knows nothing makes it very difficult to have that interface adequately serve people with more experience, you load up the benefit on the front side and trash the backside in response - that said some powerful interfaces are just objectively bad but the tools utility overrides that.
The software for making a photo collage for Grandma and the software for controlling replication across a hundred database nodes can be radically different and still be user friendly.
Lots of software tends to assume that the user is a new user but the problem then is that a new user rapidly becomes a not-new user and those things that helped initially now hamper productivity (cough Clippy cough).
I'm not saying everyone should have a Symbolics terminal and that requiring lisp knowledge should be mandatory so much as lots of people say open source isn't "user friendly" when what they mean is it's not particularly friendly to new/inexperience users coming from outside.
http://rippedwire.sourceforge.net/images/hbgtk-video.jpg for example, to a new user that is very unfriendly but if you use it frequently and or understand what you are trying to do that kind of no-nonsense interface is user friendly.
The other day, on OS X, I happened to start a new copy of Firefox in an account that had parental controls enabled (such as Guest user by default). It was a real eye-opener.
Parental controls alerts anytime an https connection is initiated. Basically it was impossible to keep Firefox from immediately initiating quite a number of these. I frantically tried to uncheck all the relevant preferences I could (e.g. "Block reported web forgeries").
I failed. Firefox still insisted on phoning home (maybe I missed something?). Also, it was hard to even make progress. The parental controls popup takes focus and demands an administrator's approval to proceed. By the time I could dismiss the popup, Firefox tried to phone home again and a new popup appeared.
Sheesh.
Here are just some of the sites that Firefox immediately accesses:
What I'm saying is that microphone access is just a very small portion of what's happening. Basically all these browsers are shipping vast amounts of our intimate browsing details to "the cloud".The author isn't claiming that free software is immune to this either (think about the flaw hiding in plain sight in OpenSSH for years). The author is saying that if you want to protect yourself from image / audio capture without your consent, make sure you can physically deactivate those features on your hardware in a way that software cannot physically re-activate them, i.e. mechanical switches.
IF it where really listening even when inactive, then people would be complaining about it sucking up bandwidth and data allotments.
Regardless, the black box aspect means this can be targeted to high value individuals and could even be limited to their home or mobile networks. Then again, it's somewhat irrelevant since all sysadmins are already legally owned by security services and sworn to secrecy by the current legal frameworks, no cloak and dagger required. And it would be hard to believe that any competent foreign intelligence org hadn't fully infested such juicy targets as google and high value corporate networks long ago.
There's an old rule that you shouldn't write down anything you wouldn't want to hear read out in a court of law. Same goes for online, and now for when you are in the vicinity of a mobile device.
It's interesting to note that the mic can be activated with the cell phone "turned off", as some models at the time didn't fully shut down even being powered down.
Here's an article from 9 years ago on the case that the government decided to make public. http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdroppin...
The 9th Circuit said "no," but the court's reasoning wasn't based on privacy concerns. The reasoning was that companies can only be forced to comply with wiretaps when the order would cause a "minimum of interference" (and the FBI's tap would have disabled the call-an-operator feature if there were an emergency, which exceeded the "minimum of interference" threshold).
This is not unique to Google, which has done a better job than just about any company I can think of at fighting off overly broad surveillance demands; see my post from two years ago for examples: https://news.ycombinator.com/item?id=5725899
Why could Apple, Microsoft, or Samsung not be compelled -- let's assume an actual court order exists -- to deliver a software update to a specific user that allows FBI agents remote access to that device microphone? Or AT&T? Or Verizon? We know from recent history that AT&T is hardly likely to put up a fight.
I wrote more about the outer limits of the Feds' surveillance authority here: http://www.cnet.com/news/how-the-u-s-forces-net-firms-to-coo... Excerpt: "Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks..." And earlier: "In 1977, the U.S. Supreme Court ruled that surveillance law is a "direct command to federal courts to compel, upon request, any assistance necessary to accomplish an electronic interception..."
In terms of a hierarchy of privacy protection, I trust technology > courts > Congress > DOJ oversight > FBI.
The theory that it's a small local plugin is also affirmed by the fact that my cellphone can do "ok google" without any sort of network, and is sometimes tricked into activating by audiobooks that make noises completely unlike "ok google".
a) Government A decides target B has valuable communications, and uses this audio capture functionality as an attack vector (ie, a MiTM server modifies the chrome binary blob request slightly to a version where chunked audio is sent back to a control server).
b) (more likely) This binary blob contains a voice recognition algorithm, which can of course detect the phrase "ok, google." Imagine they wanted to detect other phrases, like "drugs" or "travel." Small modifications could easily allow an arbitrary list of "hot" terms to be targeted. Then no audio is even sent back from the user's computer--a small flag in your google account is simply set attaching your profile to "high risk" terms overheard, and databased, where it could later be queried by law enforcement.
It's troubling because there's no transparency, and if you spend a little time brainstorming about the ways this could be used maliciously (most likely by a nation-state) there are many possibilities...
The problem with this blog post is that the author gets in a tizzy about what could happen, not what is actually happening. What could happen has not been affected by the recent Chromium screw-up, nor is it specific to Chromium.
Chrome is a very widely-distributed piece of trusted, self-updating software. It's also (for most users) directly connected to your google account--which is in many ways an intimate mirror to your identity.
You're absolutely right that this issue is not unique to Chrome, and can (and does) arise in any piece of software from native OSes & apps to 3rd party binaries.
I also think Chrome specifically warrants added concern for its ubiquity and de-facto link to your identity.
Anyone can use these techniques to target an individual, network, or system, but Chrome is one of the most widely distributed pieces of software designed with analytics in mind, from a company known for designing algorithms to improve contextual awareness.
What that means is, it's uniquely trivial to add in a few vectors of phonemes to recognize certain words/phrases, flip on an analytics pixel, and instantly have 100's of millions of devices running chrome associate their linked google accounts with this word/phrase.
http://i.imgur.com/CCTGbsk.png
I would change it to:
Has anyone actually confirmed that Chrome is continuously listening?
I'd say it's pretty much a given that it's continuously listening. How else would it know when to respond to an "ok, google" audio cue?
Because you open a new tab or you go to the search bar and then starts to listen IF you have activated that option?
"Ok Google" only works on a new tab page. Look at the microphone icon in the search box to see whether it’s listening for the phrase "Ok Google" or not:
https://support.google.com/websearch/answer/2940021?p=ui_hot...
That's not relevant. The problem is that they _could_ do that (for some subset of users, potentially) and in most cases no one would even notice it.
Please see my statement here for details: https://code.google.com/p/chromium/issues/detail?id=500922#c...
Furthermore, you are right that if you turn on the "Ok Google" setting, the plugin will start listening to your microphone, but will not send audio to Google servers unless it hears an "Ok Google".
"(Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’)"
This could easily be achieved offline.
The same argument could be made for Siri, a wiretapping device which you carry with you all the time. In fact wiretapping your phone would be much more effective then wiretapping a computer browser application.
Before making such accusations he should present some solid data, like network traffic from an idle chrome application during conversations (with and without saying "Okay Google"). If an idle chrome application was always transmitting data to google, he would have a solid argument.
In the U.S., implementation of a wiretapping scheme like this would be a significant civil and criminal violation. Google is already under a FTC consent degree for privacy violations, which would make it doubly egregious. So I'll give Google the benefit of the doubt - and assume there are privacy-protective mechanisms designed in to the system.
In the age of ambient technology, where anything can be recorded, the onus is now on developers to create systems that internally suppress mass privacy violation. The "Privacy by Design" approach (disclosure, I have an evangelist of PbD) can provide solid guidance as to how to build privacy-protective mechanisms (e.g. data minimization, data scrubbing) into ambient technologies.
It also happens to my android-using friends. I've become convinced that Android phones are listening all the time so that they can figure out what we're about to search for and what to advertise to us.
Given that this has been my (admittedly anecdotal) experience with Android, I wouldn't be surprised at all if Google was trying to take this type of thing to the desktop with Chrome.
I love Google and have historically just not cared about my privacy as far as they're concerned, but I'm getting more creeped out as this kind of stuff becomes more pervasive.
No, Android phones are not listening all the time
That's presuming it just doesn't cue up a text or audio[1] log on the device and upload it to Google the next time it's on wi-fi and plugged into a charger.
</tinfoil>
1. 4khz mono audio is sufficient for human voice recognition and tiny in terms of storage.
A friend of mine was convinced that Google was data-mining his Gmail because it recommended a flight on a related search atop the dates he was considering visiting a friend (if I recall correctly, he looked up driving directions and Google suggested "You could get there faster if you took <FLIGHT> on <EXACT DATE HE AND HIS FRIEND HAD BEEN TALKING ABOUT FLYING>").
I punched in the same directions as him in an incognito browser session and... Got the same flight suggestion. Then I looked at the nearby flights and found that the suggested one was really just the cheapest one that week. Turns out his friend and he were planning to meet on a day they happened to be free... Because it was near a holiday, so a lot of people were free, so airlines factored that into their pricing model, so Google recommended a flight because it was a popular flight that a lot of people wanted to take between those two destination points.
It's far, far more likely that targeted advertising is working because we are not the special snowflakes we believe ourselves to be. The correlation algorithms can guess a lot from a few data points when they have billions of correlations to sort through.
I'm guessing a rough approximation is possible on some operating systems. Given the sprawling management infrastructure in Windows, I wouldn't be surprised if it has some "policy" framework in place that allows devices to be declared off-limits at a process granularity. The missing piece, then, is a viable user interface on top of that.
I'm not asking for something akin to the simplified permissions model of mainstream sandboxed mobile operating systems. Not set-and-forget; and certainly not all-or-nothing ("accept these required permissions or don't install the app.") Rather, something quite a bit finer grained and with the necessary infrastructure to have the OS prompt for privileged access if the application wants something I've disallowed, in a manner akin to Windows UAC prompts for admin credentials.
Imagine starting Chrome one day to have your operating system prompt you, "Chrome would like access to audio input 1 (microphone). Allow for now, permanently, or deny?"
I use the free one that comes with Comodo Firewall, but I am unaware of any free, quality, stand alone alternatives.
Think of the corporate boardrooms with Chromebox for meetings, listening in even when not actively used for meetings. An exec at the Better Business Bureau [0] who chose Chromebox because they were excited to, "[reduce] the time [they spend] ... worrying about security concerns," is discussing the growing complaints the BBB has received about a competitor to a company owned by Google. He says, "Ok, Google owns their primary competitor, and they may have insight to offer us."
Wait, that's just my tin foil beanie. Let me put on the tin foil balaclava.
The U.S. Department of State [1] is in an all-hands-on-deck crisis meeting over a deeply divisive political situation involving a first-world ally. Chrome is updated with the eavesdropping feature (remember, it's just my tin foil that's making me choose that word, I know it's hyperbole), and it's already been "deployed to production immediately, bypassing cumbersome testing." Someone in the meeting says, "OK, Google News has been trending a lot of stories about this issue." Sensitive things are then said about this ally, things that are now being heard by an enemy of the state, because they were able to use their previously embedded network sniffers to capture and forward interesting network traffic.
It's frightening that a feature is enabled by default, and difficult to disable, that could capture sensitive conversations without the knowledge of the parties speaking because they innocently started a sentence with, "OK, Google." Certainly this violates wiretapping laws?
Let's pile on. Hospitals and medical centers are using this too, according to the Chrome for Work pages. A doctor says, "Ok, Google had a lot of results about new HLA-B27 research," when discussing a patient's arthritic concerns, while proceeding to outline the patient's symptoms and how treatment should proceed and now we're looking at a potential HIPAA Privacy Rule violation.
As I type this, I look over at my Amazon Echo, and I'm reminded of something I heard once. If you're not paying, you're not the customer, you're the product. Is that hypocritical of me to accept my Amazon Echo but not the behavior of Google Chrome?
[0]: https://www.google.com/work/chrome/resources/customer-storie...
[1]: https://www.google.com/work/chrome/resources/customer-storie...
That doctor's phone should have had a mechanical switch to disable the microphone, is the author's point.
You assume that the light isn't controlled by the same software, that's not always the case, the FBI has admitted this.
https://grahamcluley.com/2013/12/webcam-spying-without-turni...
I take the view that anything under software control or the control of a chip I can't open is suspect, I've taped the webcam on laptops and physically disconnected built in microphones (I use a headset, built in ones suck).
I'm not really happy about my Nexus 4 at all either, I think my next phone will be a dumb mobile.
The sad thing is that I try to avoid paranoia with this stuff but the threat landscape is so large it's practically a full time job staying up to date with whats going on.
Downloading a binary blob is very bad, but the accusations that author makes wihouth a single proof is more FUD than anything
Oh and smart tvs. it is a real problem though
Citation needed.
"Ok Google" functionality is an expressly required opt-in. I had to go out of my way to turn it on.
How is that hard?
... but yes, they should still be included. ;)
For speakers it has happened to me a few times that something has started to play loud sounds and I can not mute it because windows is locked up somehow or im in fullscreen or whatever.
If this was true, Debian would have not build/release this version of Chromium. The author is living in the past or in another dimension. Some projects are complex, and it's hard/impossible to read/understand everything for a single human being.