Google Chrome May Have Stealthily Downloaded An Audio Listener To Your Computer That Listens To Your Room [Report]

In an article published on the website Privacy Online News, Rick Falkvinge, founder of the first Pirate Party, makes the claim that Google is stealthily downloading audio listeners onto every computer that runs Chrome. The software is able to transmit audio data back to Google, meaning that Google can eavesdrop on conversations in your bedroom when your computer is running Chrome. According to Falkvinge, Google is doing this without user consent.

The first clue that Google might have downloaded an audio software eavesdropping on users' private conversations, according to Falkvinge, came from a bug report indicating that when one starts Chrome, "it downloads something," followed by a status report that says "Microphone: Yes" and "Audio Capture Allowed: Yes."

Falvinge alleges evidence that without consent, Google is downloading a "black box" of code into Chrome users' computers through its open-source Chromium. The code switches on the microphone to make it listen to your room.

"... you don't install black boxes onto a Debian or Ubuntu system [for instance]; you use software repositories that have gone through this source-code audit-then-build process.

"Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed [the] audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don't know and can't know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted."

Falvinge explains that the "black box" code is downloaded ostensibly to enable a feature that activates a search function when you say "Ok, Google," but the problem is that the code appears to have enabled eavesdropping on conversations in your room.

Falkvinge argues – controversially – that the voice command is not analyzed by your computer but by Google's servers, meaning that Google Chrome has configured you system to listen continuously to your room and send audio data to Google servers. And this has been done without users' knowledge or consent.

Moving ostensibly to remedy the problem, Google silently introduced a switch that allows you to opt out. However, given the fact that the entire code was downloaded surreptitiously without the knowledge of users, most users do not know they are hosting a stealth listening-module in their system and that their rooms have effectively been wiretapped. Thus, they are not aware of the need to opt out to protect their privacy.

Google also released an officials statement, which Falkvinge explains amounted to Google admitting that they bypassed the source code auditing process by downloading and installing wiretapping black-box codes to user's computers. But Google excuses its action by claiming that they were not actually activating the code. In short, according to Falkvinge, Google wants you to trust them that they will never abuse your trust by activating an eavesdropping black-box code they downloaded onto your computer without your knowledge and consent.

"Now, it should be noted that this was Chromium, the open-source version of Chrome. If somebody downloads the Google product Google Chrome, as in the prepackaged binary, you don't even get a theoretical choice. You're already downloading a black box from a vendor. In Google Chrome, this is all included from the start."

Falvinge argues that Google's action once again highlights the need for "hard" switches for all surveillance devices such as webcams and microphones, in addition to "soft" switches that require that you access the software to deactivate it. He recommends, for instance, a physical switch that can be used to deactivate a microphone or a "hard shield" that can be used to block a webcam.

He also responded to efforts by some readers to downplay the revelation that Google Chrome stealthily installs an audio listener to users' systems. In the comments section of the article, some argued that the software only listens when you say "Ok, Google," but Falkvinge argues that the assumption leaves unanswered the question of how it listens for you to say "Ok, Google" before its starts capturing audio data in your room.

Other readers argued that listening is not equivalent to transmitting the audio data to Google servers because it is possible – contrary to Falkvinge's claim -- that the system does not transmit the data until after transmission mechanism has been activated by the voice command. What this implies is that the code is able to analyze the voice command for activation locally before audio data transmission begins.

A reader said that by watching the outgoing network traffic, he was able to confirm that the audio listener does not transmit everything you say to Google before you activate it using the voice command.

"The binary is code that listens for and recognizes 'Google' LOCALLY. This is easy to verify simply by watching outgoing network traffic. There would have to be a steady stream if it were sending all audio to Google... I did watch network traffic before, during and after 'activating' it with its hotword. Nothing is sent until it is activated."

But Falkvinge sidestepped this argument by pointing out that users do not know what other keywords, besides "Ok, Google," that Google has set to trigger the audio transmission process.

Falkvinge's argument is relevant in the context of recent Snowden disclosures of NSA spying on people's privacy. In the context of the recent disclosures of NSA spying, any potential capability of a tech giant such as Google to eavesdrop on people's privacy should be taken seriously.

Falkvinge emphasized the point that what readers who argued that Google does not transmit until the audio transmission is activated by the signal "Ok, Google" appeared to miss is the significant fact that without your consent, Google has downloaded to your computer a black-box code that is potentially capable of transmitting audio data from your room to Google servers.

Another reader pointed out the risk for users.

"The issue is, there's no reason Google couldn't, if they so desired, silently change the behavior to listen for other keywords."

[Image: Wikimedia Commons]