UPDATE At about 23:00 (Pacific time, June 23) Google announced that they are removing the hotwording component entirely from Chromium: “it is not open source, it does not belong in the open source browser”. Good news.

A few days ago, while I was working on my PC at home, I noticed something strange. My PC has a web camera (combined with a microphone) that sits on top of my monitor, and the camera has a small blue LED that lights when the camera and/or microphone are operating.

While I was working I thought I’m noticing that an LED goes on and off, on the corner of my eyesight. And after a few times when it just seemed weird, I sat to watch for it and saw it happening. Every few seconds or so. I opened Task Manager (I’m working on Windows. Apologies.) and looked for a process to blame on that dodgy activity. Who is listening to me? I didn’t find anything. I know my PC pretty well and I didn’t have any crappy malware accidentally installed. There were a few suspicious processes that I shut down but it didn’t make any difference, and I left it like that.

And then I’ve come across this bug report – it’s Google! And according to them it’s not a bug! They silently put this new module in Chrome (or Chromium to be precise, doesn’t matter much from an end-user perspective). It’s a prepackaged binary and Google’s response response to the “issue” was pretty odd. Some quotes:

… while we do download the hotword module on startup, we do not activate it unless you opt in to hotwording.

And:

You don’t have to take my word for it. Starting and stopping the hotword module is controlled by some open source code in Chromium itself, so while you cannot see the code inside the module, you can trust that it is not actually going to run unless you opt in.

Trustworthy? I’m not so sure.

Google says the module is there so the browser could respond to “OK Google”. But what if I don’t want it at all? why injecting such a privacy-sensitive module in the first place instead of asking me whether I deliberately want this feature?

This is the thing: we’ve already given our privacy and secrets to Google. They know what we search, who we correspond with, our locations and much more. But this eavesdropping takes it one step further: theoretically, one could control what they reveal to Google by being aware to their computer and mobile usage. Eavesdropping though takes it one step further. You can be totally unconscious to what Google intercepts from your private room.

What’s more worrying is the huge opportunity (and hence security and privacy risk for us) it gives to 3rd party vendors, like Chrome extensions, that will now be able to eavesdrop much easier. After all, you’ll get used to see your microphone/camera going on often, and since these things don’t run in their own process but rather Chrome’s one, you won’t really know they do it until you start eliminating (disabling extensions one by one etc.)

Oh, and go read this post if you’re already angry enough.

What do you think? A real concern or an over-panic?

Not OK, Google
  • Definitely over panicking. Chrome has ALWAYS had the ability to listen to your microphone. This module just does the OK Google thing. It doesn’t give any 3rd party vendors the ability to eavesdrop easier, either.nnnIt’s just a bunch of FUD.

    • intosh

      Sure, this is FUD. And Lance Armstrong is a legit cycling champion and legend too. It’s certainly not the naive and gullible idiots who unmasked cheaters and exposed abuses and scams.

  • Rick Wong

    If you want to disable it, look under Preferences > Search in Chrome.

    • That’s not the point of the post. The point was the non-consented installation.

      • them0use

        You installed Chrome. It’s a feature of Chrome. It’s also disabled by default. If you don’t trust “disabled” to mean “disabled”, why did you trust that Chrome wasn’t listening before? Why do you trust that any of your other programs aren’t listening now? Any one of them *could* be listening, and if a program saying it isn’t listening (backed up by every test I’ve seen analyzing network traffic with the extension enabled vs disabled), why not believe they all are?

  • rsanchez1

    Looks like those people who tape over their webcams were on to something.

  • Sameer

    Real concern. Good work finding this!

  • Anatol

    Here’s the corresponding ticket in their issue tracker: https://code.google.com/p/chromium/issues/detail?id=500922

    • The link also exists inside my post, and I referred to it.

  • Flyonthewall

    A real concern. We already know from Edward Snowden’s disclosures that Google is one of the many public systems that are backdoored by the NSA (see https://goo.gl/IMrmFW). This backdooring includes data from Xbox (and Xbox Kinect), Outlook.com, AOL, and Yahoo, among others.

  • If you’re not paying for it – you’re the product. I think that losing privacy is one of the worst things that’s happening on this planet.nI’m paying for my private mailbox (not for Google btw) and I prefer using FF as my browser. I donate to Mozilla, since they actually care about my (read: our) privacy.nnGoogle started with their “don’t do evil” and became an evil empire themselves. Every now and then we see Google pushes the limit a bit further. To me – they already are in the red zone, and they love it.nnSo yes, raise the flag. It’s an important battle to fight. Our privacy means, and should mean, a lot more than another feature for convenient searching. Ok, Google, what’s next, keylogging?!

    • baurigae

      I am curious. What makes you think that if you do “pay for it” you’re “not the product”? Not a rhetorical question. Was there a clever commercial persuading people of this that I missed, or is this a documented fact? Say if you pay Apple twice the value of their hardware/software, does that mean they won’t use/sell/hand over all your data? They promised?nnAnd in fact, your loss of privacy and mine is much less of a tragedy than the fact billions on this planet have no education opportunities, indoor plumbing, or proper road infrastructure and health care, let alone access to the internet where they could become a product and lose their privacy. So it’s not the worst thing.nnNext (and nothing personal, I don’t mean to pick on you, it’s just that your comment’s the first in the thread 🙂 – I won’t donate to Pocket’s buddy Mozilla, or their slow and clunky Gecko engine.nGoogle was “donating” to Mozilla for years. Hundreds of millions. Yahoo now has that role. nI can’t compete with those guys.nnSo I use only Linux on my computers but you know what, Google is a major contributor to the kernel. I’m not saying there’s no hope or that we should not fight or care. But pontification and sloganeering (“Mozilla cares!”) is of no use here. It helps not one little bit.nIMO.nnAlso I thank the blogger here for raising the issue. It’s all over the niche echo chamber populated by the tech-literate minority in this world. The rest of humanity could not care at all.nThe question is – how do we make them care? Nothing changes until the majority cares.

  • Ed Baker

    I am surprised that this is a surprise to anyone. It was a big deal when they added this feature to window’s version of chrome. Allowing the “ok google” voice search & commands functions on your desktop that we have become accustomed to on android devices. n For years there have been concerns over malware using your camera or microphone to monitor you without your knowledge. In fact, it is a common real-life horror story when someone finds out they have been violated in this manner. Women find that hackers have exploited their hardware and have huge video collections of them changing cloths in front of their laptops.n An good example: A Pennsylvania school provided 2, 300 students with laptops with the ability for the school to remotely turn on and monitor the student with the built in camera. n So a Google app is the last one I would be concerned with having this access. n If you have a laptop with a built in camera / microphone, you should assume they can be activated without your knowledge. Cover the camera (with masking tape?) and use an external microphone (with a physical off switch), when not in use.

  • X41

    protip: you can find the process that is using the camera by using processhacker or processexplorernhit “Find Handles or DLLs” and search for “?#USB#vid_”nthat should list every process accessing the cam

  • Alyeldin Mohamed

    You’re “working on windows, apologies” ?

    • Yes, tried to be a bit cynical, you know…

  • Markus

    Are you using an Android device with activated Google Now? If so, the preferences will be synced with your account and will be also available on the desktop version of chrome. If not – it`s very scary…

  • john

    Here is a very reasonable explanation for this. It does not seem scary now.nnhttps://code.google.com/p/chromium/issues/detail?id=500922#c6

    • Have you read the post? I’m referencing to this exact response.

  • Peter Farrenkopf

    But do we really know what Google and Apple, Sony and Microsoft do with the right to Listen? And whether this collected data is truly safe? The answer is: NO!

  • Frustrated

    So this happened to me! I thought it was a glitch on the laptop, I rebooted, updated, reinstalled camera drivers and even called tech support. I covered the camera as a precaution but never considered the microphone. Time to scour Googles settings and turn the bugger off.

  • whatevs2014

    They are removing it. That’s good news. I guess.nI already replaced Chromium with Pale Moon and I will not be looking back.

  • Leroyvay Cohenovski

    I have something similar; so Google may be being “economical with the truth” when claiming that they have stopped. I have a Chromebook (it’s dead cheap & generally v. good) but the camera light (that normally switches on when I open Google Hangouts) comes on randomly: so … am I being filmed ?

  • lili

    Very worrying.
    And if, one day (maybe it’s already here), they find the way to not activate the LED?

    • It’s an hardware feature of individual cameras; don’t think they could do that.

Enter my mailing list to get high quality full-stack updates directly to your inbox. Just pure content.

I will never spam you and never share your email address.

x