Google Blogoscoped

Tuesday, September 9, 2008

Google Reacts to Some Chrome Privacy Concerns

The Google Chrome omnibox suggestions

Google had been criticized for some of the privacy issues evolving around Google Chrome. For one thing, Google’s browser Chrome has a so-called omnibox which retrieves suggestions from Google’s servers as you type (before you hit return). Other services too – like the Google homepage – use Google Suggest. Now, Google announced that the 2% of these Suggest requests which they currently randomly store, they would work on anonymizing after 24 hours. Currently, they log data “like IP addresses” with these requests, they say. Google announced the change is expected “to be in place before the end of the month.” So if you believe Google treats the data the way they say they do (and they securely manage to never let that as-you-type data be seen in ways other than they intended) then there will be less privacy concerns in this area.

The application ID, and installation directory

Another issue that raised eyebrows – at least in some German blogs and news sites I saw – was an application-specific identifier that is stored with Chrome... along with the fact that Chrome doesn’t install in the programs directory, but in the user directory. On the issue of the installation directory, Google tells me:

Google Chrome is a per-user install and doesn’t require admin privileges. This forces us to put it in the User Data directory. For our software update system to work, allowing us to rapidly distribute security updates, Google Chrome must be installed in a location where the user has write access. This location is recommended by Microsoft for per-user application installations.

As for the application ID, Google points to their manager Brian Rakowski, who at the Chromium project issues site states:

There’s a little confusion here that I’d like to clear up. There are two IDs being discussed. They are stored and used separately.

First of all, there is an installation ID (iid) which is created at install time to de-dup install counts. This is necessary to accurately count the number of successful installations that have occurred. The iid is generated randomly (not based on any other information) and is deleted in the next update check after first run.

There is a second ID called the clientID which is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how the product is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics on the “Under the Hood” tab of options.

Statements by the German Federal Office for Information Security

In the meantime, the German Federal Office for Information Security – which reportedly warned against using Google Chrome – got back to me with a pointer to one of their statements. The official release of theirs includes no strict warning against any and all usage of Chrome, but still voices concerns – in particular over making available a beta version to such a mainstream audience, perhaps considering Google linked to their browser from a lot of their national homepages. Quote the FOIS (translation from German):

Immediately after the release of the Beta version of the new browser Google Chrome, the FOIS put the product to a professional test. Specifically, during this test previously publicized vulnerabilities were reproduced.

In this context it raises concerns that the product is made available to a broad audience, for instance, as a download link on, without mentioning the characteristics of Beta programs and the precautionary measures needed when running them.

Beta versions should generally not be used for everyday purposes. (...) This directive is true for all browser vendors publishing Beta versions, such as Google, Mozilla and Microsoft.

The FOIS offers some positive aspects for Chrome, too, including this one:

Due to being open source, Google Chrome – like Mozilla Firefox – allows a review of its security measures by independent experts. This can increase the IT security level.

Wikipedia on the subject says that “Betaware is a nickname for software which has passed the alpha testing stage of development and has been released to a limited amount of users for software testing before its official release.” On the other hand, Google and other web companies have a tradition of making beta releases available to the general public; Gmail, still in beta, is one example.

Chrome security vulnerabilities

As for the Chrome security, Google already acknowledged the discovery – but also the fix – of issues including one that could “lead to execution of arbitrary code” through a “buffer overflow vulnerability in handling long filenames that display in the Save As... dialog,” as mentioned in their Chromium announcements group.

Another change they announced is that the desktop cannot be the default destination for downloads anymore; considering that in Chrome files could be automatically downloaded without user confirmation (using default options) this potentially led to dropping something on the desktop. Still, the default setting in the newest Chrome is that users won’t be asked whether or not to save a file; an odd design choice on Google’s part it seems, especially considering their statements that processes are like “jails” without the ability to write files to the hard drive. “Something bad could be running in this tab – but as soon as you close it, it’s gone,” Google said in their comic book. Shouldn’t exceptions from this rule consequently ask for approval first?

Another behavior, which may be a bug, is that Chrome during the first seconds of start-up currently stores two Google cookies... even when you set the browser homepage to be blank, the search service to Microsoft Live, and delete all cookies (Ionut says it may be related to this issue). I’ll add an update should Google reply with more information on this.

[Hat tip to Juha-Matti Laurio, Ionut, and Matt Cutts in the forum.]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!