Google has been stealth downloading audio listeners onto every computer that runs Chrome

[Shelley]

Acknowledged; I know it's a trade-off.  However, TLAs just tap the backbone 
and take everything upstream anyway.  If I were ever a true target, there 
wouldn't be much I could do.

----------
On June 21, 2015 6:28:20 PM Travis Biehn <tbiehn at gmail.com> wrote:

> Hosts that dont behave like all the other swans end up looking like ugly
> ducklings ;)
>
> On Sun, Jun 21, 2015, 9:13 PM Shelley <shelley at misanthropia.org> wrote:
>
> > On June 21, 2015 3:25:07 PM Travis Biehn <tbiehn at gmail.com> wrote:
> >
> > > *Cough* AFAIK if 'OK google' works anything like on Android (and it
> > should)
> > > it locally processes for the trigger phrase, then provides both audio and
> > > visual queues its recording your voice. They aren't constantly recording
> > > everything you say and uploading it.
> > >
> > > It's not exactly the 1984 two-way A/V system its made out to be. Inspect
> > > the source for yourself rather than relying on fantastical reporting.
> > >
> > > Google's products and services are not free, I don't find it surprising
> > > that they datamine voice, they've been offering 'free' PBX systems for
> > > years in exchange for all voice traffic that transits through it -
> > directly
> > > using this to train voice recognition along with YouTube videos and so
> > on.
> > >
> > > Anything on your machine can be tapping you. Your attackers don't need to
> > > bake it into the browser - doing so would be idiotic. Your attackers can
> > > piggy on updates, TAO in, use an exploit or simply bug you. It's way
> > easier
> > > to pop a 10$ bug in the room rather than risking burning some 0day worth
> > > infinitely more on you.
> > >
> >
> > That's why I root and gut my android devices of bloatware and everything
> > google (as much as is technologically possible), and block access to
> > google/failbook etc. tracking BS in my hosts file (all those idiotic 'like'
> > and 'share' buttons too.  Pages load much quicker.)
> >
> > I side load everything and stick to FOSS.  I've disabled voice search, and
> > nothing uses data or accesses the net without my knowledge.  It's certainly
> > no blackphone, but it's about as secure as any civilian 24/7 tracking
> > device can be and meets my needs.
> >
> > Also, it's easy to run debian on most devices, but there's always CM if
> > someone prefers.
> >
> > -S
> >
> >
> > > On Sun, Jun 21, 2015, 5:46 PM Kurt Buff <kurt.buff at gmail.com> wrote:
> > >
> > > > That's pretty easy. Fire up wireshark, look for packets heading to
> > > > google-owned addresses.
> > > >
> > > > Kill off processes one by one until you see those packets stop.
> > > >
> > > > You have found your culprit.
> > > >
> > > > Kurt
> > > >
> > > > On Sun, Jun 21, 2015 at 2:28 PM, Tim Beelen <tim at diffalt.com> wrote:
> > > > > How do I find out what program is listening to my microphone?
> > > > >
> > > > >
> > > > > On 6/21/2015 4:55 PM, Shelley wrote:
> > > > >>
> > > > >> ----------
> > > > >> On June 21, 2015 1:14:32 PM Seth <list at sysfu.com> wrote:
> > > > >>
> > > > >>>  from
> > > > >>>
> > > > >>>
> > > >
> > >
> > 
> https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/
> > > > >>>
> > > > >>>
> > > > >>> Posted on June 18, 2015 by Rick Falkvinge
> > > > >>>
> > > > >>> Google Chrome Listening In To Your Room Shows The Importance Of
> > Privacy
> > > > >>> Defense In Depth
> > > > >>
> > > > >>
> > > > >>
> > > > >> Wow, this is exactly the kind of bullshit- and bullshit response-
> > I'd
> > > > >> expect from this duplicitous NSA asset.
> > > > >>
> > > > >> I keep a seldom-used, older version of chromium on one of my debian
> > > > >> laptops so I'll check for this.  My webcam and microphone are
> > physically
> > > > >> disconnected anyway, but I still want to see if their spyware has
> > > > infected
> > > > >> my system.  Fuckers.
> > > > >>
> > > > >> Thanks for posting this; I've been out of the news loop for a
> > couple of
> > > > >> days.
> > > > >>
> > > > >> -S
> > > > >>
> > > > >>
> > > > >>>
> > > > >>> Yesterday, news broke that Google has been stealth downloading
> > audio
> > > > >>> listeners onto every computer that runs Chrome, and transmits audio
> > > > data
> > > > >>> back to Google. Effectively, this means that Google had taken
> > itself
> > > > the
> > > > >>> right to listen to every conversation in every room that runs
> > Chrome
> > > > >>> somewhere, without any kind of consent from the people
> > eavesdropped on.
> > > > >>> In
> > > > >>> official statements, Google shrugged off the practice with what
> > amounts
> > > > >>> to
> > > > >>> “we can do that”.
> > > > >>>
> > > > >>> It looked like just another bug report. "When I start Chromium, it
> > > > >>> downloads something." Followed by strange status information that
> > > > notably
> > > > >>> included the lines "Microphone: Yes" and "Audio Capture Allowed:
> > Yes".
> > > > >>>
> > > > >>> chrome-voicesearch
> > > > >>>
> > > > >>> Without consent, Google’s code had downloaded a black box of code
> > that
> > > > –
> > > > >>> according to itself – had turned on the microphone and was actively
> > > > >>> listening to your room.
> > > > >>>
> > > > >>> A brief explanation of the Open-source / Free-software philosophy
> > is
> > > > >>> needed here. When you’re installing a version of GNU/Linux like
> > Debian
> > > > or
> > > > >>> Ubuntu onto a fresh computer, thousands of really smart people have
> > > > >>> analyzed every line of human-readable source code before that
> > operating
> > > > >>> system was built into computer-executable binary code, to make it
> > > > common
> > > > >>> and open knowledge what the machine actually does instead of
> > trusting
> > > > >>> corporate statements on what it’s supposed to be doing. Therefore,
> > you
> > > > >>> don’t install black boxes onto a Debian or Ubuntu system; you use
> > > > >>> software
> > > > >>> repositories that have gone through this source-code
> > audit-then-build
> > > > >>> process. Maintainers of operating systems like Debian and Ubuntu
> > use
> > > > many
> > > > >>> so-called “upstreams” of source code to build the final product.
> > > > >>>
> > > > >>> Chromium, the open-source version of Google Chrome, had abused its
> > > > >>> position as trusted upstream to insert lines of source code that
> > > > bypassed
> > > > >>> this audit-then-build process, and which downloaded and installed a
> > > > black
> > > > >>> box of unverifiable executable code directly onto computers,
> > > > essentially
> > > > >>> rendering them compromised. We don’t know and can’t know what this
> > > > black
> > > > >>> box does. But we see reports that the microphone has been
> > activated,
> > > > and
> > > > >>> that Chromium considers audio capture permitted.
> > > > >>>
> > > > >>> This was supposedly to enable the “Ok, Google” behavior – that
> > when you
> > > > >>> say certain words, a search function is activated. Certainly a
> > useful
> > > > >>> feature. Certainly something that enables eavesdropping of every
> > > > >>> conversation in the entire room, too.
> > > > >>>
> > > > >>> Obviously, your own computer isn’t the one to analyze the actual
> > search
> > > > >>> command. Google’s servers do. Which means that your computer had
> > been
> > > > >>> stealth configured to send what was being said in your room to
> > somebody
> > > > >>> else, to a private company in another country, without your
> > consent or
> > > > >>> knowledge, an audio transmission triggered by… an unknown and
> > > > >>> unverifiable
> > > > >>> set of conditions.
> > > > >>>
> > > > >>> Google had two responses to this. The first was to introduce a
> > > > >>> practically-undocumented switch to opt out of this behavior, which
> > is
> > > > not
> > > > >>> a fix: the default install will still wiretap your room without
> > your
> > > > >>> consent, unless you opt out, and more importantly, know that you
> > need
> > > > to
> > > > >>> opt out, which is nowhere a reasonable requirement. But the second
> > was
> > > > >>> more of an official statement following technical discussions on
> > Hacker
> > > > >>> News and other places. That official statement amounted to three
> > parts
> > > > >>> (paraphrased, of course):
> > > > >>>
> > > > >>> 1) Yes, we’re downloading and installing a wiretapping black-box to
> > > > your
> > > > >>> computer. But we’re not actually activating it. We did take
> > advantage
> > > > of
> > > > >>> our position as trusted upstream to stealth-insert code into
> > > > open-source
> > > > >>> software that installed this black box onto millions of computers,
> > but
> > > > we
> > > > >>> would never abuse the same trust in the same way to insert code
> > that
> > > > >>> activates the eavesdropping-blackbox we already downloaded and
> > > > installed
> > > > >>> onto your computer without your consent or knowledge. You can look
> > at
> > > > the
> > > > >>> code as it looks right now to see that the code doesn’t do this
> > right
> > > > >>> now.
> > > > >>>
> > > > >>> 2) Yes, Chromium is bypassing the entire source code auditing
> > process
> > > > by
> > > > >>> downloading a pre-built black box onto people’s computers. But
> > that’s
> > > > not
> > > > >>> something we care about, really. We’re concerned with building
> > Google
> > > > >>> Chrome, the product from Google. As part of that, we provide the
> > source
> > > > >>> code for others to package if they like. Anybody who uses our code
> > for
> > > > >>> their own purpose takes responsibility for it. When this happens
> > in a
> > > > >>> Debian installation, it is not Google Chrome’s behavior, this is
> > Debian
> > > > >>> Chromium’s behavior. It’s Debian’s responsibility entirely.
> > > > >>>
> > > > >>> 3) Yes, we deliberately hid this listening module from the users,
> > but
> > > > >>> that’s because we consider this behavior to be part of the basic
> > Google
> > > > >>> Chrome experience. We don’t want to show all modules that we
> > install
> > > > >>> ourselves.
> > > > >>>
> > > > >>> If you think this is an excusable and responsible statement, raise
> > your
> > > > >>> hand now.
> > > > >>>
> > > > >>> Now, it should be noted that this was Chromium, the open-source
> > version
> > > > >>> of
> > > > >>> Chrome. If somebody downloads the Google product Google Chrome, as
> > in
> > > > the
> > > > >>> prepackaged binary, you don’t even get a theoretical choice. You’re
> > > > >>> already downloading a black box from a vendor. In Google Chrome,
> > this
> > > > is
> > > > >>> all included from the start.
> > > > >>>
> > > > >>> This episode highlights the need for hard, not soft, switches to
> > all
> > > > >>> devices – webcams, microphones – that can be used for
> > surveillance. A
> > > > >>> software on/off switch for a webcam is no longer enough, a hard
> > shield
> > > > in
> > > > >>> front of the lens is required. A software on/off switch for a
> > > > microphone
> > > > >>> is no longer enough, a physical switch that breaks its electrical
> > > > >>> connection is required. That’s how you defend against this in
> > depth.
> > > > >>>
> > > > >>> Of course, people were quick to downplay the alarm. “It only
> > listens
> > > > when
> > > > >>> you say ‘Ok, Google’.” (Ok, so how does it know to start listening
> > just
> > > > >>> before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A
> > company
> > > > >>> stealth installs an audio listener that listens to every room in
> > the
> > > > >>> world
> > > > >>> it can, and transmits audio data to the mothership when it
> > encounters
> > > > an
> > > > >>> unknown, possibly individually tailored, list of keywords – and
> > it’s no
> > > > >>> big deal!?) “You can opt out. It’s in the Terms of Service.” (No.
> > Just
> > > > >>> no.
> > > > >>> This is not something that is the slightest amount of permissible
> > just
> > > > >>> because it’s hidden in legalese.) “It’s opt-in. It won’t really
> > listen
> > > > >>> unless you check that box.” (Perhaps. We don’t know, Google just
> > > > >>> downloaded a black box onto my computer. And it may not be the same
> > > > black
> > > > >>> box as was downloaded onto yours. )
> > > > >>>
> > > > >>> Early last decade, privacy activists practically yelled and
> > screamed
> > > > that
> > > > >>> the NSA’s taps of various points of the Internet and telecom
> > networks
> > > > had
> > > > >>> the technical potential for enormous abuse against privacy.
> > Everybody
> > > > >>> else
> > > > >>> dismissed those points as basically tinfoilhattery – until the
> > Snowden
> > > > >>> files came out, and it was revealed that precisely everybody
> > involved
> > > > had
> > > > >>> abused their technical capability for invasion of privacy as far
> > as was
> > > > >>> possible.
> > > > >>>
> > > > >>> Perhaps it would be wise to not repeat that exact mistake. Nobody,
> > and
> > > > I
> > > > >>> really mean nobody, is to be trusted with a technical capability to
> > > > >>> listen
> > > > >>> to every room in the world, with listening profiles customizable
> > at the
> > > > >>> identified-individual level, on the mere basis of “trust us”.
> > > > >>>
> > > > >>> Privacy remains your own responsibility.
> > > > >>>
> > > > >>> Rick Falkvinge
> > > > >>> ABOUT RICK FALKVINGE
> > > > >>> Rick is the founder of the first Pirate Party and is a political
> > > > >>> evangelist, traveling around Europe and the world to talk and write
> > > > about
> > > > >>> ideas of a sensible information policy. He has a tech entrepreneur
> > > > >>> background and loves whisky. Read more of his articles on his
> > website.
> > > > >>>
> > > > >>> Twitter |More Posts (91)
> > > > >>>
> > > > >>
> > > > >>
> > > > >
> > > >
> > > >
> >
> >
> >