[Dev] Fwd: Google has been stealth downloading audio listeners onto every computer that runs Chrome

Joseph Graham joseph at t67.eu
Sun Jun 21 22:32:35 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 21 June 2015 22:30:15 BST, hellekin <hellekin at gnu.org> wrote:
>Now that's nasty.  Is Chromium in Parabola affected by this "bug"
>(meaning: wiretapping device)?
>
>==
>hk
>
>
>-------- Forwarded Message --------
>Subject: Google has been stealth downloading audio listeners onto every
>computer that runs Chrome
>Date: Sun, 21 Jun 2015 13:06:19 -0700
>From: Seth <list at sysfu.com>
>To: cypherpunks at cpunks.org
>
>from
>https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/
>
>
>Posted on June 18, 2015 by Rick Falkvinge
>
>Google Chrome Listening In To Your Room Shows The Importance Of Privacy
>Defense In Depth
>
>Yesterday, news broke that Google has been stealth downloading audio
>listeners onto every computer that runs Chrome, and transmits audio
>data
>back to Google. Effectively, this means that Google had taken itself
>the
>right to listen to every conversation in every room that runs Chrome
>somewhere, without any kind of consent from the people eavesdropped on.
>In
>official statements, Google shrugged off the practice with what amounts
>to
>“we can do that”.
>
>It looked like just another bug report. "When I start Chromium, it
>downloads something." Followed by strange status information that
>notably
>included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".
>
>chrome-voicesearch
>
>Without consent, Google’s code had downloaded a black box of code that
>>according to itself – had turned on the microphone and was actively
>listening to your room.
>
>A brief explanation of the Open-source / Free-software philosophy is
>needed here. When you’re installing a version of GNU/Linux like Debian
>or
>Ubuntu onto a fresh computer, thousands of really smart people have
>analyzed every line of human-readable source code before that operating
>system was built into computer-executable binary code, to make it
>common
>and open knowledge what the machine actually does instead of trusting
>corporate statements on what it’s supposed to be doing. Therefore, you
>don’t install black boxes onto a Debian or Ubuntu system; you use
>software
>repositories that have gone through this source-code audit-then-build
>process. Maintainers of operating systems like Debian and Ubuntu use
>many
>so-called “upstreams” of source code to build the final product.
>
>Chromium, the open-source version of Google Chrome, had abused its
>position as trusted upstream to insert lines of source code that
>bypassed
>this audit-then-build process, and which downloaded and installed a
>black
>box of unverifiable executable code directly onto computers,
>essentially
>rendering them compromised. We don’t know and can’t know what this
>black
>box does. But we see reports that the microphone has been activated,
>and
>that Chromium considers audio capture permitted.
>
>This was supposedly to enable the “Ok, Google” behavior – that when you
>say certain words, a search function is activated. Certainly a useful
>feature. Certainly something that enables eavesdropping of every
>conversation in the entire room, too.
>
>Obviously, your own computer isn’t the one to analyze the actual search
>command. Google’s servers do. Which means that your computer had been
>stealth configured to send what was being said in your room to somebody
>else, to a private company in another country, without your consent or
>knowledge, an audio transmission triggered by… an unknown and
>unverifiable
>set of conditions.
>
>Google had two responses to this. The first was to introduce a
>practically-undocumented switch to opt out of this behavior, which is
>not
>a fix: the default install will still wiretap your room without your
>consent, unless you opt out, and more importantly, know that you need
>to
>opt out, which is nowhere a reasonable requirement. But the second was
>more of an official statement following technical discussions on Hacker
>News and other places. That official statement amounted to three parts
>(paraphrased, of course):
>
>1) Yes, we’re downloading and installing a wiretapping black-box to
>your
>computer. But we’re not actually activating it. We did take advantage
>of
>our position as trusted upstream to stealth-insert code into
>open-source
>software that installed this black box onto millions of computers, but
>we
>would never abuse the same trust in the same way to insert code that
>activates the eavesdropping-blackbox we already downloaded and
>installed
>onto your computer without your consent or knowledge. You can look at
>the
>code as it looks right now to see that the code doesn’t do this right
>now.
>
>2) Yes, Chromium is bypassing the entire source code auditing process
>by
>downloading a pre-built black box onto people’s computers. But that’s
>not
>something we care about, really. We’re concerned with building Google
>Chrome, the product from Google. As part of that, we provide the source
>code for others to package if they like. Anybody who uses our code for
>their own purpose takes responsibility for it. When this happens in a
>Debian installation, it is not Google Chrome’s behavior, this is Debian
>Chromium’s behavior. It’s Debian’s responsibility entirely.
>
>3) Yes, we deliberately hid this listening module from the users, but
>that’s because we consider this behavior to be part of the basic Google
>Chrome experience. We don’t want to show all modules that we install
>ourselves.
>
>If you think this is an excusable and responsible statement, raise your
>hand now.
>
>Now, it should be noted that this was Chromium, the open-source version
>of
>Chrome. If somebody downloads the Google product Google Chrome, as in
>the
>prepackaged binary, you don’t even get a theoretical choice. You’re
>already downloading a black box from a vendor. In Google Chrome, this
>is
>all included from the start.
>
>This episode highlights the need for hard, not soft, switches to all
>devices – webcams, microphones – that can be used for surveillance. A
>software on/off switch for a webcam is no longer enough, a hard shield
>in
>front of the lens is required. A software on/off switch for a
>microphone
>is no longer enough, a physical switch that breaks its electrical
>connection is required. That’s how you defend against this in depth.
>
>Of course, people were quick to downplay the alarm. “It only listens
>when
>you say ‘Ok, Google’.” (Ok, so how does it know to start listening just
>before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company
>stealth installs an audio listener that listens to every room in the
>world
>it can, and transmits audio data to the mothership when it encounters
>an
>unknown, possibly individually tailored, list of keywords – and it’s no
>big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just
>no.
>This is not something that is the slightest amount of permissible just
>because it’s hidden in legalese.) “It’s opt-in. It won’t really listen
>unless you check that box.” (Perhaps. We don’t know, Google just
>downloaded a black box onto my computer. And it may not be the same
>black
>box as was downloaded onto yours. )
>
>Early last decade, privacy activists practically yelled and screamed
>that
>the NSA’s taps of various points of the Internet and telecom networks
>had
>the technical potential for enormous abuse against privacy. Everybody
>else
>dismissed those points as basically tinfoilhattery – until the Snowden
>files came out, and it was revealed that precisely everybody involved
>had
>abused their technical capability for invasion of privacy as far as was
>possible.
>
>Perhaps it would be wise to not repeat that exact mistake. Nobody, and
>I
>really mean nobody, is to be trusted with a technical capability to
>listen
>to every room in the world, with listening profiles customizable at the
>identified-individual level, on the mere basis of “trust us”.
>
>Privacy remains your own responsibility.
>
>Rick Falkvinge
>ABOUT RICK FALKVINGE
>Rick is the founder of the first Pirate Party and is a political
>evangelist, traveling around Europe and the world to talk and write
>about
>ideas of a sensible information policy. He has a tech entrepreneur
>background and loves whisky. Read more of his articles on his website.
>
>Twitter |More Posts (91)
>
>
>
>
>_______________________________________________
>Dev mailing list
>Dev at lists.parabola.nu
>https://lists.parabola.nu/mailman/listinfo/dev

Of course: this is very funny.
- --
Sent from my CyanogenMod device with K-9 Mail.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQE7BAEBCgAlBQJVhzuDHhxKb3NlcGggR3JhaGFtIDxqb3NlcGhAdDY3LmV1PgAK
CRD2o/UN/vt/KYyTB/9NpXGGQ5DEUtC4ZqzCGUMRQqGqfNNWYxrPm+srK7LBoDui
AigkwQZKjKepbuUnjExPW870AytMvHQY8w9HrfaCmG98+dR4W3sXvHn39SqU6JI7
WR8kl26P7eeZCxWBJv/+1pHJY7+ORMZrq3XvY2cAJLOXu5lPvI+SZIib7JtJFl5p
V0D0T8mWAkP1ob2qYyztPHPGQyzvd1NG7HuG7LO8HUGMLchoYXy0KSCRpCLhfJAP
8j9K4h7b/wBhWSf3X8sirBqfBd4aIh5Vyio6q4U9WXOrBLMYnUTiDizCDkux58IW
SuXlKrOb6KbyGqJbPhBIiGBJK1dG5rT//LWnZLTy
=fHW6
-----END PGP SIGNATURE-----




More information about the Dev mailing list