Google plant den großen Lauschangriff

Und wir machen uns Gedanken um die Vorratsdatenspeicherung…..

Wie ich gerade lesen musste beinhaltet das neuste Google Chrome Update eine Funktion, welche bei dem ein oder anderen (oder allen) Nutzer(n) für Verwirrung sorgen dürfte. Verwirrung in dem Sinne von: Gehts noch! Chrome lauscht jetzt auf sogenannte Keywords, welche den Start einer Sprachsuche auslösen sollen. Also in etwa bzw. genau wie das „OK Google“ das man bereits von seinem Android Smartphone kennt.

Der Unterschied zu eurem Smartphone ist allerdings, dass Google die gesamten Daten an ihre Server weiterleitet um das Sprachkommando auszuwerten. Somit wird jeder Chrome Browser zu einer Art Abhörstation. Ich denke mal nicht, dass die Gespräche wirklich ausgewertet werden, da dies ja schon fast an Firmenspionage heran kommen würde, wenn man mal bedenkt in wie vielen Firmen der Chrome Browser im Einsatz ist, dennoch hinterlässt das ganze schon einen sehr fragwürdigen Eindruck. Die Frage ist hier: Bug oder Feature?

chrome-voicesearch

Ob die Sprachsuche bei euch aktiv ist, könnt ihr über den Aufruf der Url chrome://voicesearch prüfen. Unter den chrome://settings muss die Option für die Sprachsuche gesetzt sein, sonst ist das ganze laut Google nicht aktiv. Hier mal der Auszug. Sollte man mal gelesen haben:

I think there are a number of separate issues here so I'll address each one.

* 1. Hotword activates / records audio without asking for user permission.

First and foremost, while we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording. If you go into "chrome://settings", you will see a checkbox "Enable "Ok Google" to start a voice search". This should be unchecked by default, and if you do not check it, the hotword module will not be started.

You don't have to take my word for it. Starting and stopping the hotword module is controlled by some open source code in Chromium itself [3], so while you cannot see the code inside the module, you can trust that it is not actually going to run unless you opt in.

* 2. Downloading a binary blob into an open source application.

The significance of this depends on whether you're running Google Chrome (the official distribution) or Chromium. Now, you've reported in your "steps to reproduce" using Chrome on Mac.

If we're talking about Chrome: Google Chrome (as opposed to Chromium) is not open source. It contains various bits of proprietary binary code, and always has. Therefore, whether it downloads the hotword module from the web store, or includes it in the distribution, is irrelevant from a trust standpoint. From our standpoint, the fact that the hotword module is a separate extension (rather than built in to the browser) is an implementation detail.

Since a lot of the discussion is centered around Chromium on Linux, I want to address the concern that Chromium is entirely open source and yet it downloads a proprietary module. The key here is that Chromium is not a Google product (we do not directly distribute it, or make any guarantees with respect to compliance with various open source policies). Our primary focus is getting code ready for Google Chrome. If a third party (such as Debian) destributes it, it is their responsibility to enforce their own policy. And I see that they have now done that (as of 43.0.2357.81-1) by disabling the hotword module. We have also made changes from Chromium 45 onwards to make it easier for third party distributors to disable hotwording (see  Issue 491435 ).

Another key point is that the binary blob is not a native executable or library. It is a NaCl module, and therefore subject to the full sandbox of the NaCl platform. The hotword module has the same privileges as any website (except that it automatically has access to the microphone).

* 3. Not showing the extension in the extension list.

We call extensions that are built into or automatically downloaded by Chrome "component extensions" and we do not show them in the extension list by design. This is because as I was saying above, we consider component extensions to be part of the basic Chrome experience (it is an implementation detail that they are separate extensions). The chrome://extensions UI is a place for users to manage the extensions that they have installed themselves; it would be confusing if that list was pre-populated with bits and pieces that are a core part of the browser.

I hope this explanation is satisfactory. I am closing this as WontFix because it is already an opt-in feature, and Debian has already removed the component in their distribution of Chromium [2].