Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Criticized For 'Opaque' Audio-Listening Binary In Debian Chromium

Posted by Soulskill on from the ok-google-stop-listening-to-me-breathe dept.

An anonymous reader writes: Google has fallen under criticism for including a compiled audio-monitoring binary in Chromium for Debian. A report was logged at Debian's bug register on Tuesday noting the presence of a non-auditable 'hotword' module in Chromium 43. The module facilitates Google's "OK, Google" functionality, which listens for that phrase via a Chrome user's microphone and attempts afterwards to interpret the user's instructions as a search query. Matt Giuca from the Chromium development team responded after the furore developed, disclaiming Google from any responsibility from auditing Chromium code, but promising clearer controls over the feature in release 45.

16 of 85 comments (clear)

  1. Turn off in Windows? by nefus · · Score: 2

    So is the microphone on by default in windows? How would you turn it off?

    1. Re:Turn off in Windows? by gbjbaanb · · Score: 2

      unplug it, or if its embedded, remove the audio driver for it, or set the 'volume' control so it cannot hear anything anyway. And put some tape over the little hole it listens through.

      Now.. good luck doing that on your phone.... best just to remove the app (if you can) or trust Google not to have slipped this stuff into Android as part of its voice activation feature (for your convenience, of course)

    2. Re:Turn off in Windows? by swillden · · Score: 3, Informative

      unplug it, or if its embedded, remove the audio driver for it, or set the 'volume' control so it cannot hear anything anyway. And put some tape over the little hole it listens through.

      Now.. good luck doing that on your phone.... best just to remove the app (if you can) or trust Google not to have slipped this stuff into Android as part of its voice activation feature (for your convenience, of course)

      Hotword detection is optional in Android. If you don't like it, just turn it off.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Turn off in Windows? by drinkypoo · · Score: 3, Interesting

      Hotword detection is optional in Android. If you don't like it, just turn it off.

      The software which provides hotword detection on Android is also not auditable. How do you know it doesn't turn itself on when it detects that you're not looking at it, or monitoring it via adb? Oh no, I don't really think that it does either, but it's precisely the same concern as on Debian. You'd have to not install the google services to be sure you were avoiding it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Turn off in Windows? by swillden · · Score: 4, Insightful

      Hotword detection is optional in Android. If you don't like it, just turn it off.

      The software which provides hotword detection on Android is also not auditable. How do you know it doesn't turn itself on when it detects that you're not looking at it, or monitoring it via adb? Oh no, I don't really think that it does either, but it's precisely the same concern as on Debian. You'd have to not install the google services to be sure you were avoiding it.

      If that's your level of paranoia, you're lost, and omitting the Google services doesn't help.

      The fact is that you implicitly and deeply trust all the companies in the production pipeline for the networked electronic devices you use, because absolutely any one of them can easily arrange for whatever sort of backdoor they want. It's a little tougher for the hardware component vendors, I'll grant, but if they do the work they're in the best position of all to compromise your security without any possibility that you could find it.

      With Android specifically, though, I'm interested in ideas for how we can make the system more transparent. We can't do anything about hardware-level compromises, but I'd like it if the upper layers were more auditable -- and note that having access to source code that purports to be what's running on the device doesn't get you there.

      One idea I've been toying with is a framework-level network tap that allows you to divert a copy of every bit that your phone sends or receives, via network, Wifi, bluetooth, NFC or USB, for your perusal and examination. Since most apps use the framework APIs for SSL, it should be possible to snarf this data before it's encrypted, too. Of course, there's a big downside: if this single data collection point exists, it will be a tremendously attractive target for compromise by other parties who want to see what your device sends or receives.

      You're a smart person, do you have any ideas for what Android could do to make its operations more transparent? We can't achieve perfection, but if we could get it to the point where Google or anyone else in the supply chain would have to do something which is obviously and solely intended to hide their actions in order to exfiltrate private data, that would be great.

      Note that this is not an idle question. I'm a member of the Android security team, and in a position to make these sorts of things happen, or at least dramatically increase the likelihood.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Turn off in Windows? by swillden · · Score: 2

      It couldn't be that bad, or people on mobile networks would burn most of their month's data setting up a new device.

      And if that data is flagged in such fashion as to not count against one's data cap?

      Android doesn't send any particular different parameters during setup. There's really no way the carrier could even know the difference. And if the device could send something that meant "hey, doing setup, don't charge this" you know custom ROMs would arrange to send that *all* the time, or at least as often as they can get away with.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. If the hardware is there, assume it will be used by Anonymous Coward · · Score: 3, Insightful

    That is one reason my desktop doesn't have a mic, nor a camera. If it isn't there, then software can't abuse it.

    Even with laptops, back in the early 2000s, I remember a brand that had an analog switch. Flip the switch, no mic, no way for software to access the mic.

    We need that functionality back in hardware, just because it should be assumed that software will abuse it.

  3. Comment bubble thing next to the story icon? by meta-monkey · · Score: 5, Insightful

    No. I do not like change. Put the comment link back below the summary.

    Do it.

    Do it now.

    Do it.

    Do.

    It.

    --
    We don't have a state-run media we have a media-run state.
    1. Re:Comment bubble thing next to the story icon? by bulled · · Score: 5, Funny

      Does the average /.er have anyone to share something with?

    2. Re:Comment bubble thing next to the story icon? by nullchar · · Score: 2

      Assuming we did want to share /. stories with someone, we only paste URLs into our chat clients, never "share" them on "social media" platforms.

      I paste /. URLs into Jabber and IRC chats all the time.

    3. Re:Comment bubble thing next to the story icon? by aardvarkjoe · · Score: 2

      But the new design saves so much screen real estate!

      Oh, wait. Because of that stupid "share" button sitting all by itself that nobody is going to use, you haven't saved any space at all.

      Isn't one of the tenets of good website design that it's better make the links obvious so that people can find them? Old users are annoyed by the change because it breaks their expectations. New users are much less likely to find the comment section of Slashdot because there's no clearly-marked link to get to them -- you have to figure out to click on some cryptic icon that just looks like a decoration. You're not saving any screen space, and the "share" button sitting all alone like that just looks silly.

      I don't mind an interface change if there's a good reason for doing so, but this one is all downside.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    4. Re:Comment bubble thing next to the story icon? by Anonymous Coward · · Score: 4, Insightful

      That's not the worst part. They don't just not know the audience, they don't know how this site is used, or why it's any good.

      Nobody is going to share the /. summary of a linked article. The summary is crap most of the time, the good part about /. is the discussion it generates, not the summary itself. You'll either share the linked article (so nothing related to /.) or the article page with the comments after you read the comments.

      Put a big-ass share button button on the bottom of the comment page and you'll get more shares and might get more readers after they see the comments. As it is right now nobody will use the share button and newcomers to the site won't even realize there are comments worth reading and will dismiss it as a crappier commentless reddit clone.

  4. Re:Speaking of "opaque" - Dice, WTF re: comment li by ArchieBunker · · Score: 4, Insightful

    More minimalist bullshit. If you have to stop and think about what a button or image means then the design is broken. What is wrong with the word "comments"? Why must it now be a cartoon speech bubble?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  5. Re:"Ok, Google, are you snitching to the NSA?" by jellomizer · · Score: 4, Funny

    Oh come on, you all know those engineers at Google, actually wrote that code in a HEX editor in straight machine code. It is completely open source. Just because you don't know machine code, doesn't mean Google is violating open source methodology. Say you didn't know APL and I created an APL program, and gave you the source. Am I not sharing the source with you?

    FYI: Tongue in cheek.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  6. Re:"Ok, Google, are you snitching to the NSA?" by Carewolf · · Score: 2

    I can see why they'd be less than transparent about it..

    Nah, not the NSA. They spy for the one spying organzation bigger than the NSA: Google ;)

  7. Re:Speaking of "opaque" - Dice, WTF re: comment li by Anonymous Coward · · Score: 4, Insightful

    Or just clicking the article name? Its the same damn page. This really isn't that hard.

    It's not obvious that the article name is where you would click to delve into the article since it's above the summary and most people read from top to bottom. Not only that, but on a collapsed article, clicking on the title expands the post. Why on Earth would I expect clicking the title again would take me to the comments and not to collapse the post back down again?