Is Google Eavesdropping on Chromium Users?

Andre Infante 26-06-2015

Google has found itself in hot water after open source developers noticed that the Debian version of Chromium, the open-source version of Google Chrome Try Out Google's Chromium OS on Your Laptop or Netbook With Flow Read More , is downloading black-box code from Google, designed to listen to the user via any connected microphone and stream the audio back for analysis.


Obviously, this sounds pretty bad, but the situation is a little more complicated than this would suggest, so let’s take a step back and see what’s really going on.

What is Open Source?

For those unfamiliar, in open source software development What Is Open Source Software? [MakeUseOf Explains] "Open source" is a term that’s thrown around a lot these days. You may know that certain things are open source, like Linux and Android, but do you know what it entails? What is open... Read More , developers work together to create software with source code freely available for review and modification. This is an alternative to commercial software development, where software is developed in secret, and the compiled files (but not the source code) are sold to customers as a black box.cube-250082_1280

Open source development, because it doesn’t sell its product, relies on donations of time and money Why Do People Contribute to Open Source Projects? Open source development is the future of software. It's great for users because open source software is usually available gratis and often safer to use. But what compels developers to contribute code for free? Read More from developers and corporations – as a result, development tends to go more slowly, and it can be difficult to get the tedious parts of software development done.

That said, in terms of security, open source has major advantages. In particular, when the code is publicly available, it’s easy to verify that the software is doing what it’s supposed to be doing, and doesn’t contain backdoors or fatal bugs. Open source code is trustworthy in a way that commercial software is not.



In the real world, it’s nearly impossible to get by using exclusively open source software. As a result, many open source programs use closed-source components for various purposes. For example, the standard flash player used by your browser is closed source, so most browsers on Linux load this (closed-source) module in order to watch that content.

A Digital Wiretap?

The module that Chrome installed is the module that allows the browser to respond to voice searches starting with “Okay Google” from any screen, a convenient feature of the Google Now platform 6 Google Now Features That Will Change How You Search You may already be using Google Now on your Android device, but are you getting all that you can out of it? Knowing about these small features can make a big difference. Read More .

The module is similar to other closed-source components like the Flash player, but it attracted the ire of the open-source community for two key reasons.

  1. Its function is potentially invasive – it’s designed to allow the browser to recognize sentences that begin with “OK Google,” and automatically search for them. For technological reasons, this speech recognition can’t be performed client-side. When the module is activated, it streams all audio it picks up to a Google server for analysis.
  2. The module is downloaded automatically, and without directly alerting the user. Most open-source software, by convention, asks the user before installing closed-source components. While the module is disabled by default, it’s still installed without the user’s direct permission.

As Rick Falvinge, the founder of the Swedish Pirate Party puts it,


“Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code […] which downloaded and installed a black box […] We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.

This was supposedly to enable the “OK, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.”

The Rebuttal

Technically, Falvinge is completely correct. However, I can’t help but feel that the response to this issue has been a little bit hysterical.

One day, I have no doubt, Google will unroll a feature that listens to you all the time and data-mines your conversations. I’m also sure that when Google unrolls that functionality, it will advertise the hell out of it, probably with cheerful pastel-colored graphics. There’s no reason to do is secretly, because hardly anyone is actually going to care.

The module that Google installed is already present in every Chrome browser on Earth – Chromium users are at no special risk. Google’s sin here isn’t spying on the world, so much as violating some implicit taboos in the open-source community. Most of the fuss here comes down to a culture conflict between the open source crowd, which has extremely high standards for security and privacy, and Google, which develops commercial software for a customer base that has, so far, not made their privacy a priority.

Google’s official statement on the subject runs along similar lines.


“Chromium is entirely open source and yet it downloads a proprietary module. The key here is that Chromium is not a Google product (we do not directly distribute it, or make any guarantees with respect to compliance with various open source policies). Our primary focus is getting code ready for Google Chrome. If a third party (such as Debian) destributes it, it is their responsibility to enforce their own policy.”

In other words: Chromium isn’t a Google product, and it isn’t Google’s job to preserve the sanctity of open source.

A Sign of Things to Come

All of this isn’t to say that Google isn’t spying on you: if you opt-in to use the module, they totally are. But they’re spying on you in a way that we’ve all pretty much come to accept: consensually, and without human intervention. The contents of your Google searches becoming public would be humiliating to pretty much anybody, but we have a degree of trust that these searches are seen only by abstract machine learning infrastructure deep in the belly of a server farm somewhere. Presumably, the same will go for the contents of conversations that take place near an “OK Google” enabled computer.

If you object to this, you are welcome to use a different open-source browser that does not use closed source components. You may also want to move to an EM-shielded bunker in the Rockies, because you are not going to like the rest of the future. The trend in technology so far has been giving up privacy for convenience, and there’s no sign that the process is slowing.



Take this idea to its logical limit. In a decade or two, I’d wager, most people are going to be wearing some kind of head-mounted smart device: portable augmented reality hardware, streamlined down to the size of a pair of sunglasses. Obviously, these will be more useful if you give Google or Apple or Microsoft an always-on stream of everything you see and hear for analysis. Will people go for it? Based on recent history, I think there’s a very good chance that they will.

So to bring it back to the issue at hand: relax, Chromium users. Google’s not spying on you. But they will be, soon, and you are going to love it.

Or are you? Tell us how you feel about this in the comments.

Image credits: Google Glass, Open Source Keyhole, by Wikimedia


Related topics: Online Privacy, Online Security, Surveillance.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    June 27, 2015 at 11:17 pm

    @Andre: "comes down to a culture conflict between the open source crowd" - if you really think that's what this issue comes down to, I feel sorry for you.

  2. Anonymous
    June 27, 2015 at 12:57 pm

    If its inevitable, why don't we all run out and get implanted with RFID chips to make the surveillance easier?

    • Andre Infante
      June 27, 2015 at 5:41 pm

      I don't think the RFID would help much over the GPS we keep in our pocket at all times that regularly tells Google everywhere we've gone.

      • Anonymous
        June 29, 2015 at 1:01 pm

        Why should Google have all the fun? With an implanted RFID chip everybody and his uncle can get in on the fun of tracking us 24/7/365. Besides, there are times, albeit increasingly infrequent, when we don't have the GPS tracker with us. RFID chip will fill that void for those tracking us.

        Within 10 years, if not sooner, UK and US governments will mandate that everyone be implanted so that "terrorists can be tracked in real time in the interest of national security". Of course politicians will be exempt from this ukase.

  3. Guy McDowell
    June 26, 2015 at 11:02 pm

    When every politician, royal, and C-level executive of Fortune 500 companies start streaming their lives 24 hours a day, I'll consider allowing this kind of intrusion into my life as well. Until then, they can stay out of it.

  4. Anonymous
    June 26, 2015 at 5:19 pm

    what is stopping the NSA or any other governement agency or spy service from eaves dropping using this technique?