UPDATE At about 23:00 (Pacific time, June 23) At about 23:00 (Pacific time, June 23) Google announced that they are removing the hotwording component entirely from Chromium: “it is not open source, it does not belong in the open source browser”. Good news.

A few days ago, while I was working on my PC at home, I noticed something strange. My PC has a web camera (combined with a microphone) that sits on top of my monitor, and the camera has a small blue LED that lights when the camera and/or microphone are operating.

While I was working I thought I’m noticing that an LED goes on and off, on the corner of my eyesight. And after a few times when it just seemed weird, I sat to watch for it and saw it happening. Every few seconds or so. I opened Task Manager (I’m working on Windows. Apologies.) and looked for a process to blame on that dodgy activity. Who is listening to me? I didn’t find anything. I know my PC pretty well and I didn’t have any crappy malware accidentally installed. There were a few suspicious processes that I shut down but it didn’t make any difference, and I left it like that.

And then I’ve come across this bug report – it’s Google! And according to them it’s not a bug! They silently put this new module in Chrome (or Chromium to be precise, doesn’t matter much from an end-user perspective). It’s a prepackaged binary and Google’s response response to the “issue” was pretty odd. Some quotes:

… while we do download the hotword module on startup, we do not activate it unless you opt in to hotwording.

And:

You don’t have to take my word for it. Starting and stopping the hotword module is controlled by some open source code in Chromium itself, so while you cannot see the code inside the module, you can trust that it is not actually going to run unless you opt in.

Trustworthy? I’m not so sure.

Google says the module is there so the browser could respond to “OK Google”. But what if I don’t want it at all? why injecting such a privacy-sensitive module in the first place instead of asking me whether I deliberately want this feature?

This is the thing: we’ve already given our privacy and secrets to Google. They know what we search, who we correspond with, our locations and much more. But this eavesdropping takes it one step further: theoretically, one could control what they reveal to Google by being aware to their computer and mobile usage. Eavesdropping though takes it one step further. You can be totally unconscious to what Google intercepts from your private room.

What’s more worrying is the huge opportunity (and hence security and privacy risk for us) it gives to 3rd party vendors, like Chrome extensions, that will now be able to eavesdrop much easier. After all, you’ll get used to see your microphone/camera going on often, and since these things don’t run in their own process but rather Chrome’s one, you won’t really know they do it until you start eliminating (disabling extensions one by one etc.)

Oh, and go read this post if you’re already angry enough.

What do you think? A real concern or an over-panic?