Last week reports by Rick Falkvinge (Private Internet Access) and Jake Edge (Linux Weekly News) pointed out the ability of Google Chromium to listen into private conversations without users knowledge. Since then developers and users around the world voiced concerns. According to Google the feature was intended to be used for voice searches prompted by the phrase “Ok Google” and wasn’t listening to users conversations.
We’re pleased to hear that Google decided to pull the voice extension from Chromium. The module will no longer be downloaded by default and will be removed if previously installed.
There has been some back and forth since the initial report of a bug in the Debian bug tracker late last month. Google developers addressed questions around the issue last week. Here’s a response from June 17th:
I think there are a number of separate issues here so I'll address each one. * 1. Hotword activates / records audio without asking for user permission. First and foremost, while we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording. If you go into "chrome://settings", you will see a checkbox "Enable "Ok Google" to start a voice search". This should be unchecked by default, and if you do not check it, the hotword module will not be started. You don't have to take my word for it. Starting and stopping the hotword module is controlled by some open source code in Chromium itself [3], so while you cannot see the code inside the module, you can trust that it is not actually going to run unless you opt in. * 2. Downloading a binary blob into an open source application. The significance of this depends on whether you're running Google Chrome (the official distribution) or Chromium. Now, you've reported in your "steps to reproduce" using Chrome on Mac. If we're talking about Chrome: Google Chrome (as opposed to Chromium) is not open source. It contains various bits of proprietary binary code, and always has. Therefore, whether it downloads the hotword module from the web store, or includes it in the distribution, is irrelevant from a trust standpoint. From our standpoint, the fact that the hotword module is a separate extension (rather than built in to the browser) is an implementation detail. Since a lot of the discussion is centered around Chromium on Linux, I want to address the concern that Chromium is entirely open source and yet it downloads a proprietary module. The key here is that Chromium is not a Google product (we do not directly distribute it, or make any guarantees with respect to compliance with various open source policies). Our primary focus is getting code ready for Google Chrome. If a third party (such as Debian) destributes it, it is their responsibility to enforce their own policy. And I see that they have now done that (as of 43.0.2357.81-1) by disabling the hotword module. We have also made changes from Chromium 45 onwards to make it easier for third party distributors to disable hotwording (see Issue 491435 ). Another key point is that the binary blob is not a native executable or library. It is a NaCl module, and therefore subject to the full sandbox of the NaCl platform. The hotword module has the same privileges as any website (except that it automatically has access to the microphone). * 3. Not showing the extension in the extension list. We call extensions that are built into or automatically downloaded by Chrome "component extensions" and we do not show them in the extension list by design. This is because as I was saying above, we consider component extensions to be part of the basic Chrome experience (it is an implementation detail that they are separate extensions). The chrome://extensions UI is a place for users to manage the extensions that they have installed themselves; it would be confusing if that list was pre-populated with bits and pieces that are a core part of the browser.
Google has since changed their mind and decided to pull the voice extension. It will no longer be downloaded by default. Here’s a response from a Google developer posted yesterday:
In light of this issue, we have decided to remove the hotwording component entirely from Chromium. As it is not open source, it does not belong in the open source browser. Chromium builds from r335874 (version 45) onwards will have hotwording disabled by default and will not download the module. There is no way to enable this feature at runtime. Google Chrome users will be unaffected (although, as always, will have to opt in using settings before the hotword module will activate). If you want a version of Chromium with hotwording, you have to build it from source, with the GYP define "enable_hotwording=1" (or equivalently, the GN arg "enable_hotwording = true"). This will produce a custom build of Chromium that downloads the proprietary hotword component. I have also added a field in the chrome://voicesearch page (in 45 onwards) to show you whether the hotword module is installable. If that says "No", then it is not possible to opt in to hotwording (either because the language is unsupported, or because it is a Chromium build).
Chromium r335874 (version 45) will disable “Ok Google” hotwording by default in open source versions. In addition Chromium will not install the Hotword module and will automatically remove it on startup if it was preciously installed.