
Google listening in to your room shows importance of privacy defense in depth - arto
https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/
======
metric10
Has anyone actually confirmed that Chrome is continuously sending audio back
to Google? I _highly_ doubt that this is the case. Instead, the plug in knows
how to recognize "OK Google" all by itself. Once activated, then it starts
sending audio data.

 _IF_ it where really listening even when inactive, then people would be
complaining about it sucking up bandwidth and data allotments.

~~~
j42
It's not about consistently being bugged though--I see two troubling
implications to this;

a) Government A decides target B has valuable communications, and uses this
audio capture functionality as an attack vector (ie, a MiTM server modifies
the chrome binary blob request slightly to a version where chunked audio is
sent back to a control server).

b) (more likely) This binary blob contains a voice recognition algorithm,
which can of course detect the phrase "ok, google." Imagine they wanted to
detect other phrases, like "drugs" or "travel." Small modifications could
easily allow an arbitrary list of "hot" terms to be targeted. Then no audio is
even sent back from the user's computer--a small flag in your google account
is simply set attaching your profile to "high risk" terms overheard, and
databased, where it could later be queried by law enforcement.

It's troubling because there's no transparency, and if you spend a little time
brainstorming about the ways this could be used maliciously (most likely by a
nation-state) there are many possibilities...

~~~
lern_too_spel
This is true of any auto-updating software, including your operating system
and all evergreen browsers.

The problem with this blog post is that the author gets in a tizzy about what
_could_ happen, not what is _actually_ happening. What _could_ happen has not
been affected by the recent Chromium screw-up, nor is it specific to Chromium.

~~~
j42
Except Chromium as a framework is in an interesting position... and I think
the threat is not even in how this could be used with malicious intent, but
rather how easy it allows for indiscriminate passive logging on a grand scale.

Chrome is a very widely-distributed piece of trusted, self-updating software.
It's also (for most users) directly connected to your google account--which is
in many ways an intimate mirror to your identity.

You're absolutely right that this issue is not unique to Chrome, and can (and
does) arise in any piece of software from native OSes & apps to 3rd party
binaries.

I also think Chrome specifically warrants added concern for its ubiquity and
de-facto link to your identity.

Anyone can use these techniques to target an individual, network, or system,
but Chrome is one of the most widely distributed pieces of software designed
with analytics in mind, from a company known for designing algorithms to
improve contextual awareness.

What that means is, it's uniquely trivial to add in a few vectors of phonemes
to recognize certain words/phrases, flip on an analytics pixel, and instantly
have 100's of millions of devices running chrome associate their linked google
accounts with this word/phrase.

------
Mithaldu
This is pretty funny. He complains that Chromium managed to "bypass this
audit-then-build process", by downloading stuff afterwards, while ignoring
that this happening already shows that the audit process is completely useless
since it failed to recognize and reject the code that would do this.

There's a TSA joke somewhere in this.

~~~
fweespeech
The audit process assumes the upstream maintainers aren't malicious actors
attempting to actively bypass the process:

> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts downloading
> "Chrome Hotword Shared Module" extension, which contains a binary without
> source code. There seems no opt-out config.

They don't have the resources to do a full audit on all the packages:

[https://www.debian.org/security/audit/](https://www.debian.org/security/audit/)

> Due to the sheer size of the current Debian release it is infeasible for a
> small team to be able to audit all the packages, so there is a system of
> prioritizing packages which are more security sensitive.

------
jmnicolas
I think this is the last straw for me : enough is enough.

I need to sit and reflect a bit on this, but I'm contemplating abandoning
every bit of non free software I currently use (and there's a lot of it since
I'm using Windows and Android).

~~~
kiba
It appears that we're stuck in a tradeoff regarding software:

Libre, high quality, and user friendly. Pick two.

~~~
mrj
Firefox is open, high quality and user friendly.

~~~
Retra
Firefox's success often seems to be the exception that proves the rule.

~~~
noir_lord
postgres, python, inkscape, XFCE, various shells, GTK, Qt, even libreoffice
(which has gone through astounding refactoring), vim, emacs, apache, nginx.

I don't think there is a rule.

~~~
Retra
That's a good point. Maybe it is a matter of perspective: none of those are
consumer programs, they are developer tools. (Except libreoffice, but that has
had its problems.)

So you could argue that they are not all that user friendly.

~~~
noir_lord
> Contrary to popular belief, Unix is user friendly. It just happens to be
> very selective about who it decides to make friends with.

They are _user_ friendly they just represent the usages of the type of user
using them.

This is something I see said a lot, constraining an interface to your average
completely new user who knows nothing makes it _very_ difficult to have that
interface adequately serve people with more experience, you load up the
benefit on the front side and trash the backside in response - that said some
powerful interfaces are just objectively bad but the tools utility overrides
that.

~~~
Retra
At this point, I don't even know what "user friendly" means.

~~~
noir_lord
user friendly - designed to aid the user in doing whatever task they are
doing.

The software for making a photo collage for Grandma and the software for
controlling replication across a hundred database nodes can be radically
different and still be user friendly.

Lots of software tends to assume that the user is a new user but the problem
then is that a new user rapidly becomes a not-new user and those things that
helped initially now hamper productivity ( _cough_ Clippy _cough_ ).

I'm not saying everyone should have a Symbolics terminal and that requiring
lisp knowledge should be mandatory so much as lots of people say open source
isn't "user friendly" when what they mean is it's not particularly friendly to
new/inexperience users coming from outside.

[http://rippedwire.sourceforge.net/images/hbgtk-
video.jpg](http://rippedwire.sourceforge.net/images/hbgtk-video.jpg) for
example, to a new user that is very unfriendly but if you use it frequently
and or understand what you are trying to do that kind of no-nonsense interface
_is user friendly_.

------
bhauer
I want my desktop operating system to offer fairly fine-grained control of
permissions I selectively grant to processes/applications. I would like the
ability to easily revoke Chrome's ability to use my audio inputs, and then—if
the use case comes up, such as a WebRTC conference—I can grant permission
either on a one-time basis or until I revoke. This would be the operating
system controlling the application's capability.

I'm guessing a rough approximation is possible on some operating systems.
Given the sprawling management infrastructure in Windows, I wouldn't be
surprised if it has some "policy" framework in place that allows devices to be
declared off-limits at a process granularity. The missing piece, then, is a
viable user interface on top of that.

I'm not asking for something akin to the simplified permissions model of
mainstream sandboxed mobile operating systems. Not set-and-forget; and
certainly not all-or-nothing ("accept these required permissions or don't
install the app.") Rather, something quite a bit finer grained and with the
necessary infrastructure to have the OS prompt for privileged access if the
application wants something I've disallowed, in a manner akin to Windows UAC
prompts for admin credentials.

Imagine starting Chrome one day to have your operating system prompt you,
"Chrome would like access to audio input 1 (microphone). Allow for now,
permanently, or deny?"

~~~
ionised
An HIPS can do much of this on Windows. It takes some training though.

I use the free one that comes with Comodo Firewall, but I am unaware of any
free, quality, stand alone alternatives.

------
turk-
How does he know Chrome is transmitting ALL conversations that it hears? His
arguments aren't valid:

"(Ok, so how does it know to start listening just before I’m about to say ‘Ok,
Google?’)"

This could easily be achieved offline.

The same argument could be made for Siri, a wiretapping device which you carry
with you all the time. In fact wiretapping your phone would be much more
effective then wiretapping a computer browser application.

Before making such accusations he should present some solid data, like network
traffic from an idle chrome application during conversations (with and without
saying "Okay Google"). If an idle chrome application was always transmitting
data to google, he would have a solid argument.

~~~
fstutzman
Agreed - there is a lot of speculation here.

In the U.S., implementation of a wiretapping scheme like this would be a
significant civil and criminal violation. Google is already under a FTC
consent degree for privacy violations, which would make it doubly egregious.
So I'll give Google the benefit of the doubt - and assume there are privacy-
protective mechanisms designed in to the system.

In the age of ambient technology, where anything _can_ be recorded, the onus
is now on developers to create systems that internally suppress mass privacy
violation. The "Privacy by Design" approach (disclosure, I have an evangelist
of PbD) can provide solid guidance as to how to build privacy-protective
mechanisms (e.g. data minimization, data scrubbing) into ambient technologies.

------
neumino
> When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a
> fresh computer, thousands of really smart people have analyzed every line of
> human-readable source code

If this was true, Debian would have not build/release this version of
Chromium. The author is living in the past or in another dimension. Some
projects are complex, and it's hard/impossible to read/understand everything
for a single human being.

------
uptown
Type this into your Chrome address bar to see the extension status:
chrome://voicesearch/

~~~
nakedrobot2
NaCl Enabled Yes Microphone Yes Audio Capture Allowed Yes Current Language en-
US Hotword Previous Language en-US Hotword Search Enabled No Always-on Hotword
Search Enabled No Hotword Audio Logging Enabled No

What now?

~~~
thestepafter
Go to chrome://settings/

Uncheck: Enable "Ok Google" to start a voice search.

~~~
disposition2
So I have Chrome installed (although I don't use it as my primary) and I
checked...

NaCl Enabled Yes Microphone Yes Audio Capture Allowed Yes

In Settings my 'Ok Google' is (and was) unchecked. What gives?

~~~
lsaferite
"Hotword Search Enabled" is the one you are interested in.

------
jimhefferon
This is why there needs to be a switch on all computers to _physically_ turn
the microphone off.

How is that hard?

~~~
fixermark
Physical switches are the most common point of mechanical failure. It
translates to real-world lost revenue in terms of returns and repairs to
include them at all.

... but yes, they should still be included. ;)

~~~
nulltype
There's a light for the camera, they should just add one for the microphone.

~~~
bob-2
While acceptable for most paranoid users, the indicator light isn't as secure
as a physical switch. For some devices (most notably 2007/2008 era MacBooks)
the controller can be manipulated to enable the camera without giving any
visual indication via the light.

~~~
nulltype
Yeah but what if the physical switch gets manipulated? I think if you're that
paranoid you need to keep your macbook in a vacuum so it can't pick up any
sound.

------
ape4
I always assumed the purpose of Chrome was to spy on us. So I don't use it.

------
rasz_pl
I wonder if European Commission would be interested in adding this to their
investigation, couple of hundred million dollars should be enough penalty for
violating users privacy.

~~~
deoptimo
I agree with the sentiment, but I don't think a competition investigation is
the appropriate forum to deal with this. There should be a fine, perhaps
through a class action or criminal conviction.

I certainly hope the penalty for illegally wiretapping hundreds of millions of
people is more than $1 per head. I value the privacy of my conversations (and
life) _way_ more than that.

Besides, if I opt-in to this service, why should everyone who ever walks into
my home or office be presumed to have made the same choice? What if I am a
doctor or lawyer who is not legally allowed to make that choice?

~~~
deoptimo
Why the down vote?

------
jonstokes
Not surprised. I was a die-hard android user, but I kept having stuff like
this happen to me, over and over again:
[http://www.reddit.com/r/technology/comments/2kwbl2/im_convin...](http://www.reddit.com/r/technology/comments/2kwbl2/im_convinced_my_android_phone_listens_to_me_and/)

It also happens to my android-using friends. I've become convinced that
Android phones are listening all the time so that they can figure out what
we're about to search for and what to advertise to us.

Given that this has been my (admittedly anecdotal) experience with Android, I
wouldn't be surprised at all if Google was trying to take this type of thing
to the desktop with Chrome.

I love Google and have historically just not cared about my privacy as far as
they're concerned, but I'm getting more creeped out as this kind of stuff
becomes more pervasive.

~~~
Oletros
Can you provide any proof of that?

No, Android phones are not listening all the time

~~~
jonstokes
Nope, I have no proof, and of course I'd be happy to learn that they aren't
listening. I just hypothesize that they are based on my experience, but I've
not tried to test it in any systematic way.

~~~
Oletros
Listening all the time and sending the audio to Google would kill an
smartphone in a moment. Apaty of the bandwith used

~~~
runjake
<tinfoil>

That's presuming it just doesn't cue up a text or audio[1] log on the device
and upload it to Google the next time it's on wi-fi and plugged into a
charger.

</tinfoil>

1\. 4khz mono audio is sufficient for human voice recognition and tiny in
terms of storage.

~~~
bduerst
Pretty sure someone would detect that with packet inspection, even if
compressed.

------
Oletros
has the author really tested if Chromium is listening?

Downloading a binary blob is very bad, but the accusations that author makes
wihouth a single proof is more FUD than anything

~~~
fixermark
It's irrelevant to the argument. The author is making an appeal to the
slippery slope (even if it's not happening right now, and even if Google is
not doing it.... It could easily happen tomorrow and anyone _could_ do it.
Shutter your cameras and make sure your microphones can be physically
deactivated).

~~~
bduerst
Isn't an argument based solely on FUD essentially a slippery slope?

------
anaptdemise
There is also a bug report from a year ago.
[https://code.google.com/p/chromium/issues/detail?id=381747](https://code.google.com/p/chromium/issues/detail?id=381747)

------
feld
Is there a GPO to control this setting in Windows?

edit:

This might work

[http://www.chromium.org/administrators/policy-
list-3#AudioCa...](http://www.chromium.org/administrators/policy-
list-3#AudioCaptureAllowed)

------
izzydata
My only audio recording device is my webcam and it is incapable of being in
use without the light being on as far as I am aware. So how would it send them
audio data without the audio device realize it is being used?

~~~
noir_lord
> My only audio recording device is my webcam and it is incapable of being in
> use without the light being on as far as I am aware.

You assume that the light isn't controlled by the same software, that's not
always the case, the FBI has admitted this.

[https://grahamcluley.com/2013/12/webcam-spying-without-
turni...](https://grahamcluley.com/2013/12/webcam-spying-without-turning-led-
researchers-prove-possible/)

I take the view that anything under software control or the control of a chip
I can't open is suspect, I've taped the webcam on laptops and _physically_
disconnected built in microphones (I use a headset, built in ones suck).

I'm not really happy about my Nexus 4 at all either, I think my next phone
will be a dumb mobile.

The sad thing is that I try to avoid paranoia with this stuff but the threat
landscape is so large it's practically a full time job staying up to date with
whats going on.

------
w8rbt
One thing to keep in mind. If your friend has a Google device using Chrome,
and you are close to them (in the same room) it hears your voice as well.

~~~
Oletros
Any source for this?

~~~
alfiedotwtf
Physics

~~~
Oletros
What has to do physics with the claim that Android Chrome is always listening?

------
zobzu
Note that all android phones have that issue. Also all windows phones and soon
windows 10.

Oh and smart tvs. it is a real problem though

~~~
McGlockenshire
> all android phones have that issue

Citation needed.

"Ok Google" functionality is an expressly required opt-in. I had to go out of
my way to turn it on.

~~~
zobzu
google phones (nexuses) pretty much turn it on as u hit next next next on
install thats actually pretty similar the chrome tvs also warn you usually -
but nontech ppl dont notice. next next.

~~~
Oletros
No, search recognition is not in the initial setup

------
lfender6445
if you goto chrome://settings/content it appears you can disable mic + camera
access for all pages

~~~
rasz_pl
I bet this is for something else, probably html5, just like Flash has
mic/camera access permissions.

------
spdustin
Okay, I'm going to put on my tin foil hat for a bit here.

Think of the corporate boardrooms with Chromebox for meetings, listening in
even when not actively used for meetings. An exec at the Better Business
Bureau [0] who chose Chromebox because they were excited to, "[reduce] the
time [they spend] ... worrying about security concerns," is discussing the
growing complaints the BBB has received about a competitor to a company owned
by Google. He says, "Ok, Google owns their primary competitor, and they may
have insight to offer us."

Wait, that's just my tin foil beanie. Let me put on the tin foil balaclava.

The U.S. Department of State [1] is in an all-hands-on-deck crisis meeting
over a deeply divisive political situation involving a first-world ally.
Chrome is updated with the eavesdropping feature (remember, it's just my tin
foil that's making me choose that word, I know it's hyperbole), and it's
already been "deployed to production immediately, bypassing cumbersome
testing." Someone in the meeting says, "OK, Google News has been trending a
lot of stories about this issue." Sensitive things are then said about this
ally, things that are now being heard by an enemy of the state, because they
were able to use their previously embedded network sniffers to capture and
forward interesting network traffic.

It's frightening that a feature is enabled by default, and difficult to
disable, that could capture sensitive conversations without the knowledge of
the parties speaking because they innocently started a sentence with, "OK,
Google." Certainly this violates wiretapping laws?

Let's pile on. Hospitals and medical centers are using this too, according to
the Chrome for Work pages. A doctor says, "Ok, Google had a lot of results
about new HLA-B27 research," when discussing a patient's arthritic concerns,
while proceeding to outline the patient's symptoms and how treatment should
proceed and now we're looking at a potential HIPAA Privacy Rule violation.

As I type this, I look over at my Amazon Echo, and I'm reminded of something I
heard once. If you're not paying, you're not the customer, you're the product.
Is that hypocritical of me to accept my Amazon Echo but not the behavior of
Google Chrome?

[0]: [https://www.google.com/work/chrome/resources/customer-
storie...](https://www.google.com/work/chrome/resources/customer-
stories/better-business-bureau/index.html)

[1]: [https://www.google.com/work/chrome/resources/customer-
storie...](https://www.google.com/work/chrome/resources/customer-stories/us-
state-department/index.html)

~~~
fixermark
Yes it is. ;) The author wants us to remember that we live in a world that has
these technological possibilities.

That doctor's phone should have had a mechanical switch to disable the
microphone, is the author's point.

------
wslh
What happen if you play an audio file saying "Ok Google" ?

------
derptron
Wow, is there really no way to disable this? I guess I'm going back to
Firefox.

~~~
jonknee
Of course there is a way to disable this, it's in the settings with all the
other settings.

~~~
plorkyeran
Where? You can turn off voice-activated search, but that doesn't actually
disable the extension.

~~~
McGlockenshire
The extension is only used by voice search. If voice search is disabled, the
extension isn't used by anything.

A mountain is being made out of this molehill. If the extension was only
downloaded at the time that the option was enabled by the user, nobody would
care. Instead, they chose to have the extension always available and as a
result people are having paranoid over-reactions.

