IF it where really listening even when inactive, then people would be complaining about it sucking up bandwidth and data allotments.
a) Government A decides target B has valuable communications, and uses this audio capture functionality as an attack vector (ie, a MiTM server modifies the chrome binary blob request slightly to a version where chunked audio is sent back to a control server).
b) (more likely) This binary blob contains a voice recognition algorithm, which can of course detect the phrase "ok, google." Imagine they wanted to detect other phrases, like "drugs" or "travel." Small modifications could easily allow an arbitrary list of "hot" terms to be targeted. Then no audio is even sent back from the user's computer--a small flag in your google account is simply set attaching your profile to "high risk" terms overheard, and databased, where it could later be queried by law enforcement.
It's troubling because there's no transparency, and if you spend a little time brainstorming about the ways this could be used maliciously (most likely by a nation-state) there are many possibilities...
The problem with this blog post is that the author gets in a tizzy about what could happen, not what is actually happening. What could happen has not been affected by the recent Chromium screw-up, nor is it specific to Chromium.
Chrome is a very widely-distributed piece of trusted, self-updating software. It's also (for most users) directly connected to your google account--which is in many ways an intimate mirror to your identity.
You're absolutely right that this issue is not unique to Chrome, and can (and does) arise in any piece of software from native OSes & apps to 3rd party binaries.
I also think Chrome specifically warrants added concern for its ubiquity and de-facto link to your identity.
Anyone can use these techniques to target an individual, network, or system, but Chrome is one of the most widely distributed pieces of software designed with analytics in mind, from a company known for designing algorithms to improve contextual awareness.
What that means is, it's uniquely trivial to add in a few vectors of phonemes to recognize certain words/phrases, flip on an analytics pixel, and instantly have 100's of millions of devices running chrome associate their linked google accounts with this word/phrase.
The theory that it's a small local plugin is also affirmed by the fact that my cellphone can do "ok google" without any sort of network, and is sometimes tricked into activating by audiobooks that make noises completely unlike "ok google".
The 9th Circuit said "no," but the court's reasoning wasn't based on privacy concerns. The reasoning was that companies can only be forced to comply with wiretaps when the order would cause a "minimum of interference" (and the FBI's tap would have disabled the call-an-operator feature if there were an emergency, which exceeded the "minimum of interference" threshold).
This is not unique to Google, which has done a better job than just about any company I can think of at fighting off overly broad surveillance demands; see my post from two years ago for examples: https://news.ycombinator.com/item?id=5725899
Why could Apple, Microsoft, or Samsung not be compelled -- let's assume an actual court order exists -- to deliver a software update to a specific user that allows FBI agents remote access to that device microphone? Or AT&T? Or Verizon? We know from recent history that AT&T is hardly likely to put up a fight.
I wrote more about the outer limits of the Feds' surveillance authority here: http://www.cnet.com/news/how-the-u-s-forces-net-firms-to-coo... Excerpt: "Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks..." And earlier: "In 1977, the U.S. Supreme Court ruled that surveillance law is a "direct command to federal courts to compel, upon request, any assistance necessary to accomplish an electronic interception..."
In terms of a hierarchy of privacy protection, I trust technology > courts > Congress > DOJ oversight > FBI.
It's interesting to note that the mic can be activated with the cell phone "turned off", as some models at the time didn't fully shut down even being powered down.
Here's an article from 9 years ago on the case that the government decided to make public.
Regardless, the black box aspect means this can be targeted to high value individuals and could even be limited to their home or mobile networks. Then again, it's somewhat irrelevant since all sysadmins are already legally owned by security services and sworn to secrecy by the current legal frameworks, no cloak and dagger required. And it would be hard to believe that any competent foreign intelligence org hadn't fully infested such juicy targets as google and high value corporate networks long ago.
There's an old rule that you shouldn't write down anything you wouldn't want to hear read out in a court of law. Same goes for online, and now for when you are in the vicinity of a mobile device.
I would change it to:
Has anyone actually confirmed that Chrome is continuously listening?
I'd say it's pretty much a given that it's continuously listening. How else would it know when to respond to an "ok, google" audio cue?
Because you open a new tab or you go to the search bar and then starts to listen IF you have activated that option?
"Ok Google" only works on a new tab page. Look at the microphone icon in the search box to see whether it’s listening for the phrase "Ok Google" or not:
Please see my statement here for details:
Furthermore, you are right that if you turn on the "Ok Google" setting, the plugin will start listening to your microphone, but will not send audio to Google servers unless it hears an "Ok Google".
That's not relevant. The problem is that they _could_ do that (for some subset of users, potentially) and in most cases no one would even notice it.
There's a TSA joke somewhere in this.
> After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts downloading
"Chrome Hotword Shared Module" extension, which contains a binary without
source code. There seems no opt-out config.
They don't have the resources to do a full audit on all the packages:
> Due to the sheer size of the current Debian release it is infeasible for a small team to be able to audit all the packages, so there is a system of prioritizing packages which are more security sensitive.
I need to sit and reflect a bit on this, but I'm contemplating abandoning every bit of non free software I currently use (and there's a lot of it since I'm using Windows and Android).
The author isn't claiming that free software is immune to this either (think about the flaw hiding in plain sight in OpenSSH for years). The author is saying that if you want to protect yourself from image / audio capture without your consent, make sure you can physically deactivate those features on your hardware in a way that software cannot physically re-activate them, i.e. mechanical switches.
Libre, high quality, and user friendly. Pick two.
The other day, on OS X, I happened to start a new copy of Firefox in an account that had parental controls enabled (such as Guest user by default). It was a real eye-opener.
Parental controls alerts anytime an https connection is initiated. Basically it was impossible to keep Firefox from immediately initiating quite a number of these. I frantically tried to uncheck all the relevant preferences I could (e.g. "Block reported web forgeries").
I failed. Firefox still insisted on phoning home (maybe I missed something?). Also, it was hard to even make progress. The parental controls popup takes focus and demands an administrator's approval to proceed. By the time I could dismiss the popup, Firefox tried to phone home again and a new popup appeared.
Here are just some of the sites that Firefox immediately accesses:
I don't think there is a rule.
So you could argue that they are not all that user friendly.
They are user friendly they just represent the usages of the type of user using them.
This is something I see said a lot, constraining an interface to your average completely new user who knows nothing makes it very difficult to have that interface adequately serve people with more experience, you load up the benefit on the front side and trash the backside in response - that said some powerful interfaces are just objectively bad but the tools utility overrides that.
The software for making a photo collage for Grandma and the software for controlling replication across a hundred database nodes can be radically different and still be user friendly.
Lots of software tends to assume that the user is a new user but the problem then is that a new user rapidly becomes a not-new user and those things that helped initially now hamper productivity (cough Clippy cough).
I'm not saying everyone should have a Symbolics terminal and that requiring lisp knowledge should be mandatory so much as lots of people say open source isn't "user friendly" when what they mean is it's not particularly friendly to new/inexperience users coming from outside.
http://rippedwire.sourceforge.net/images/hbgtk-video.jpg for example, to a new user that is very unfriendly but if you use it frequently and or understand what you are trying to do that kind of no-nonsense interface is user friendly.
I'm guessing a rough approximation is possible on some operating systems. Given the sprawling management infrastructure in Windows, I wouldn't be surprised if it has some "policy" framework in place that allows devices to be declared off-limits at a process granularity. The missing piece, then, is a viable user interface on top of that.
I'm not asking for something akin to the simplified permissions model of mainstream sandboxed mobile operating systems. Not set-and-forget; and certainly not all-or-nothing ("accept these required permissions or don't install the app.") Rather, something quite a bit finer grained and with the necessary infrastructure to have the OS prompt for privileged access if the application wants something I've disallowed, in a manner akin to Windows UAC prompts for admin credentials.
Imagine starting Chrome one day to have your operating system prompt you, "Chrome would like access to audio input 1 (microphone). Allow for now, permanently, or deny?"
I use the free one that comes with Comodo Firewall, but I am unaware of any free, quality, stand alone alternatives.
"(Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’)"
This could easily be achieved offline.
The same argument could be made for Siri, a wiretapping device which you carry with you all the time. In fact wiretapping your phone would be much more effective then wiretapping a computer browser application.
Before making such accusations he should present some solid data, like network traffic from an idle chrome application during conversations (with and without saying "Okay Google"). If an idle chrome application was always transmitting data to google, he would have a solid argument.
In the U.S., implementation of a wiretapping scheme like this would be a significant civil and criminal violation. Google is already under a FTC consent degree for privacy violations, which would make it doubly egregious. So I'll give Google the benefit of the doubt - and assume there are privacy-protective mechanisms designed in to the system.
In the age of ambient technology, where anything can be recorded, the onus is now on developers to create systems that internally suppress mass privacy violation. The "Privacy by Design" approach (disclosure, I have an evangelist of PbD) can provide solid guidance as to how to build privacy-protective mechanisms (e.g. data minimization, data scrubbing) into ambient technologies.
If this was true, Debian would have not build/release this version of Chromium. The author is living in the past or in another dimension. Some projects are complex, and it's hard/impossible to read/understand everything for a single human being.
Uncheck: Enable "Ok Google" to start a voice search.
NaCl Enabled Yes
Audio Capture Allowed Yes
From chrome://settings/ under the Search heading, "Enable 'Ok Google' to start a voice search" is unchecked and has always been unchecked.
NaCl Enabled Yes
Audio Capture Allowed Yes
In Settings my 'Ok Google' is (and was) unchecked. What gives?
If you're runnning Google Chrome: Weep.
I metaphorically did. Then I closed Chrome and tabbed back to my Firefox window.
This feels like I had an Amazon Echo dropped by my house, plugged in, and then shoved behind a book on the shelf so that I wouldn't see it. Ethics be damned.
Google Chrome 43.0.2357.124 ()
OS Mac OS X
NaCl Enabled Yes
Audio Capture Allowed Yes
Current Language en-US
Hotword Previous Language en-US
Hotword Search Enabled No
Always-on Hotword Search Enabled No
Hotword Audio Logging Enabled No
Field trial Install
Start Page State No Start Page Service
Extension Id nbpagnldghgfoolbancepceaanlmhfmd
Extension Version 0.0.1.4
Extension Path /Applications/Google Chrome.app/Contents/Versions/43.0.2357.124/Google Chrome Framework.framework/Resources/hotword
Extension State ENABLED
Shared Module Id lccekmodgklaepjeofjdjpbminllajkg
Shared Module Version 0.3.0.5
Shared Module Path <user path redacted>/Application Support/Google/Chrome/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0
Shared Module State ENABLED
How is that hard?
For speakers it has happened to me a few times that something has started to play loud sounds and I can not mute it because windows is locked up somehow or im in fullscreen or whatever.
... but yes, they should still be included. ;)
I certainly hope the penalty for illegally wiretapping hundreds of millions of people is more than $1 per head. I value the privacy of my conversations (and life) way more than that.
Besides, if I opt-in to this service, why should everyone who ever walks into my home or office be presumed to have made the same choice? What if I am a doctor or lawyer who is not legally allowed to make that choice?
Consider that you're one of the developers that wrote this feature. You try very hard to make sure your users privacy rights are respected. Normally your work is strong and you catch all of the corner cases, but this one you missed. You've fixed it upstream, but folks are demanding 5% of the company's bottom line because of a mistake /you/ made. The code isn't even used unless the user ticks a box to turn it on in the first place, which is even verifiable with a cursory use of system monitoring tools like fuser, lsof, etc.
You've been marked as costing a company a major stake of their income. You'll likely never live that down.
If you don't like the company's behavior, /don't use the software/. Simple, clean, and effective in large numbers -- more so than regulation action. Chromium is an open source first browser, we as a community actually have a hand in its development. If you don't like this, fix it.
IMNSHO, user-hostile business decisions should be fined in a way that does impact the business. We've long since passed the point where this can be resolved with a slap on the wrist. So yes, 5% of revenue seems like an appropriate figure to start with.
By that reasoning, tobacco and asbestos shouldn't be regulated
Surely a developer working for Google knows that user privacy is not a priority for the company?
Google does not operate like Apple -- there are many hands at the tiller, and the ship moves in almost arbitrary directions at times. Situations like this do come up, and they are most of the time honest mistakes or oversights.
Google cares very much about other actors violating user privacy. Not quite the same amount of "caring" if the violations are being done by Google itself.
It also happens to my android-using friends. I've become convinced that Android phones are listening all the time so that they can figure out what we're about to search for and what to advertise to us.
Given that this has been my (admittedly anecdotal) experience with Android, I wouldn't be surprised at all if Google was trying to take this type of thing to the desktop with Chrome.
I love Google and have historically just not cared about my privacy as far as they're concerned, but I'm getting more creeped out as this kind of stuff becomes more pervasive.
A friend of mine was convinced that Google was data-mining his Gmail because it recommended a flight on a related search atop the dates he was considering visiting a friend (if I recall correctly, he looked up driving directions and Google suggested "You could get there faster if you took <FLIGHT> on <EXACT DATE HE AND HIS FRIEND HAD BEEN TALKING ABOUT FLYING>").
I punched in the same directions as him in an incognito browser session and... Got the same flight suggestion. Then I looked at the nearby flights and found that the suggested one was really just the cheapest one that week. Turns out his friend and he were planning to meet on a day they happened to be free... Because it was near a holiday, so a lot of people were free, so airlines factored that into their pricing model, so Google recommended a flight because it was a popular flight that a lot of people wanted to take between those two destination points.
It's far, far more likely that targeted advertising is working because we are not the special snowflakes we believe ourselves to be. The correlation algorithms can guess a lot from a few data points when they have billions of correlations to sort through.
No, Android phones are not listening all the time
That's presuming it just doesn't cue up a text or audio log on the device and upload it to Google the next time it's on wi-fi and plugged into a charger.
1. 4khz mono audio is sufficient for human voice recognition and tiny in terms of storage.
Downloading a binary blob is very bad, but the accusations that author makes wihouth a single proof is more FUD than anything
This might work
You assume that the light isn't controlled by the same software, that's not always the case, the FBI has admitted this.
I take the view that anything under software control or the control of a chip I can't open is suspect, I've taped the webcam on laptops and physically disconnected built in microphones (I use a headset, built in ones suck).
I'm not really happy about my Nexus 4 at all either, I think my next phone will be a dumb mobile.
The sad thing is that I try to avoid paranoia with this stuff but the threat landscape is so large it's practically a full time job staying up to date with whats going on.
Oh and smart tvs. it is a real problem though
"Ok Google" functionality is an expressly required opt-in. I had to go out of my way to turn it on.
Think of the corporate boardrooms with Chromebox for meetings, listening in even when not actively used for meetings. An exec at the Better Business Bureau  who chose Chromebox because they were excited to, "[reduce] the time [they spend] ... worrying about security concerns," is discussing the growing complaints the BBB has received about a competitor to a company owned by Google. He says, "Ok, Google owns their primary competitor, and they may have insight to offer us."
Wait, that's just my tin foil beanie. Let me put on the tin foil balaclava.
The U.S. Department of State  is in an all-hands-on-deck crisis meeting over a deeply divisive political situation involving a first-world ally. Chrome is updated with the eavesdropping feature (remember, it's just my tin foil that's making me choose that word, I know it's hyperbole), and it's already been "deployed to production immediately, bypassing cumbersome testing." Someone in the meeting says, "OK, Google News has been trending a lot of stories about this issue." Sensitive things are then said about this ally, things that are now being heard by an enemy of the state, because they were able to use their previously embedded network sniffers to capture and forward interesting network traffic.
It's frightening that a feature is enabled by default, and difficult to disable, that could capture sensitive conversations without the knowledge of the parties speaking because they innocently started a sentence with, "OK, Google." Certainly this violates wiretapping laws?
Let's pile on. Hospitals and medical centers are using this too, according to the Chrome for Work pages. A doctor says, "Ok, Google had a lot of results about new HLA-B27 research," when discussing a patient's arthritic concerns, while proceeding to outline the patient's symptoms and how treatment should proceed and now we're looking at a potential HIPAA Privacy Rule violation.
As I type this, I look over at my Amazon Echo, and I'm reminded of something I heard once. If you're not paying, you're not the customer, you're the product. Is that hypocritical of me to accept my Amazon Echo but not the behavior of Google Chrome?
That doctor's phone should have had a mechanical switch to disable the microphone, is the author's point.
A mountain is being made out of this molehill. If the extension was only downloaded at the time that the option was enabled by the user, nobody would care. Instead, they chose to have the extension always available and as a result people are having paranoid over-reactions.