Not OK, Google: Chromium voice extension pulled after spying concerns

Google has removed an extension from Chromium, the open source sibling to the Chrome browser, after accusations that the extension was installed surreptitiously and subsequently eavesdropped on Chromium users.

The issue first came to light in late May when a bug was filed in the Debian bug tracker. Chromium version 43 was seen downloading a binary extension from Google, and there was neither any ability to prevent this download, nor any source code available for the extension. The extension, called “Chrome Hotword,” was found to be responsible for providing the browser’s “OK, Google” functionality. Although off by default, both Chrome and Chromium, when set to use Google as their default search engine, can permanently listen to the microphone and respond instantly to voice queries, with “OK Google” used as the trigger keyword.

Concern about the nature and purpose of the extension was compounded by the way the browser did and didn’t disclose the extension’s existence. The list of extensions visible at chrome://extensions/ doesn’t include Hotword. Conversely, Hotword’s own status page, chrome://voicesearch/ said that by default the extension was enabled and had access to the microphone.

This looked like an egregious privacy violation; Google silently installing software that listens in to the microphone (and potentially reports back everything it hears to the mothership), and doing so not only in its partially closed source Chrome browser, but the free and open Chromium browser. The extension is supposed to detect the “OK Google” phrase locally, sending only search phrases to Google, but as no source code is available, there’s no easy way to determine this. Other trigger phrases could be included that start transmission, and nobody outside Google would be any the wiser.

This issue came to wider notice after a write-up on Linux Weekly News and another by Pirate Party founder Rick Falkvinge.

In a bug filed in the Chromium bug tracker, Google offered explanations for the behavior. Chrome and Chromium have various built-in features that are implemented as extensions, which Google calls “component extensions.” Some are built in; others are downloaded automatically when the browser is run. By default, these component extensions are not listed alongside normal extensions on chrome://extensions/, though there is a command-line switch, --show-component-extension-options, that will reveal them.

Similarly, Google developers explained that the page showing that the Hotword extension was enabled was being misinterpreted. Enabled in this context does not mean “loaded” or “listening”; it just means “not disabled.” The extension isn’t actually active unless the “OK Google” feature is turned on. This can be verified in Chrome’s own task manager: it lists each loaded extension, and by default the one for Hotwords isn’t loaded.

Check the “OK Google” option and the extension can load. However, it doesn’t simply load once and then stay loaded. When you turn it on, it loads, but a few seconds later, unloads. Subsequently, it only loads on the new tab page (which includes a Google search box) or when visiting google.com. Navigate away from these pages and a few seconds later, the extension unloads again. Turn off “OK Google” and the same thing happens; if the extension is running, it unloads after a few seconds.

Even with the “OK Google” feature turned off, when you start Chrome, the extension is loaded for a few seconds, and then unloaded.

This constant loading and unloading likely explains the experience of developer Ofer Zelig, who noticed that his webcam’s activation light (enabled whenever the webcam’s camera or microphone are accessed) kept turning on apparently at random. This likely coincided with his visits to Google’s home page or when starting a new tab.

For users of Chrome, there doesn’t seem to be any serious issue. Chrome users already have to trust Google to a greater or lesser extent, because the browser isn’t fully open source and contains proprietary Google code. That the extension loads when the browser is started—and appears to access the microphone when it does so—even when “OK Google” is disabled seems a little undesirable. It may be that this is simply how Google’s extension system works, but it’s not really consistent with user expectations.

For Chromium, the situation is a little more complex. One of the reasons that people use open source software is precisely so they can inspect the source code and know precisely what is going on: automatically downloading and installing a binary extension with no source code clearly runs very contrary to this spirit.

In the light of this, Google developers announced today that they would make a change to Chromium; as of today, builds of Chromium 45 will no longer download the module by default.