Public outcry over spying concerns makes Google remove the Chromium extension
An extension from Chromium, the open source offspring to the Chrome browser was removed by Google after allegations were made that the extension was secretly installed and afterwards surreptitiously listened into the conversations of Chromium users.
The problem was first reported in late May when a bug was placed in the Debian bug tracker. A binary extension from Google was seen downloaded by Chromium version 43, and there was neither any any source code available for the extension nor the skill to stop this download.
The extension, called “Chrome Hotword,” was discovered as the primary cause for giving the browser’s “OK, Google” functionality. Even though it is off by default, both Chrome and Chromium, when put to use Google as their preselected search engine, can forever hear into the microphone and reply immediately to voice queries, with the trigger password used as “OK Google”.
Concern about the purpose and nature of the extension was constituted by the way the browser did and did not reveal the extension’s existence. Howard is not included in the list of extensions seen at chrome://extensions/. Contrarily, Hotword’s own status page, chrome://voicesearch/ said that by default the extension was operational and had access to the microphone.
This seemed like an shocking privacy violation; Google quietly installing software that eavesdrops in to the microphone (and possibly reports back everything it hears to the mothership), which is not limited to its partially closed source Chrome browser, but also to the free and open Chromium browser. The extension is assumed to locally find out the “OK Google” phrase by transmitting only search phrases to Google. However, there is no simple way to ascertain this, as no source code is available. Other trigger phrases could be made a part that start transmission, and no one outside Google would be any the wiser.
This problem garnered wide attention after a write-up on Linux Weekly News and another by Pirate Party founder Rick Falkvinge.
Google gave justifications for the behavior regarding a bug placed in the Chromium bug tracker. Chrome and Chromium have various built-in features that are put into effect as extensions, which Google calls “component extensions.” Some are automatically downloaded when the browser is run built in, while others are in-built. By default, these component extensions are not listed alongside normal extensions on chrome://extensions/, though there is a command-line switch, –show-component-extension-options, that will disclose them.
In a similar way, Google developers made it clear by describing that the page that shows the Hotword extension as enabled is being interpreted wrongly. Enabled in this context does not mean “loaded” or “listening”; it just means “not disabled.” Unless the “OK Google” feature is turned on, the extension is not really active. This can be justified in Chrome’s own task manager: it lists each loaded extension, and by default the one for Hotwords is not loaded.
Check the “OK Google” option and the extension can load. But, it does not simply load once and then stay loaded. It loads when you turn it on, but unloads a few seconds later. Afterwards, it only loads on the new tab page (which includes a Google search box) or when you visit google.com. Move away from these pages and a few seconds later, the extension unloads again. The same thing happens once you turn off “OK Google”; it unloads after a few seconds, if the extension is running.
When you start Chrome, the extension is loaded for a few seconds and then unloaded, although the “OK Google” feature is turned off.
This continuous loading and unloading apparently describes the experience of developer Ofer Zelig, who observed that his webcam’s activation light (enabled whenever the webcam’s camera or microphone are accessed) kept turning on seemingly at random. This likely occurred at the same time when he started a new tab or when he visited Google’s home page.
It does not look like there is any serious issue for Chrome users. They already have to believe Google to a lesser or greater extent, as the browser is not fully open source and has proprietary Google code. Given that when the browser is loads the extension loads —and seems to access the microphone when it does so—even when “OK Google” is not enabled looks a little unwanted. It could be that this is just how Google’s extension system works, but it is not actually constant with expectations of the users.
The situation is a little more complicated for Chromium. One of the justification that people give to use open source software is mainly so that they can examine the source code and know exactly what is going on: automatically downloading and loading a binary extension with no source code that clearly runs which is contradictory to this spirit.
Today, Google developers announced that they would make a change to Chromium. Starting today, Chromium 45 builds will not download the module by default.