Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Is Scanning Files on Your Computer, and People Are Freaking Out (vice.com)

Posted by msmash on from the privacy-woes dept.

Some cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware. But there's no reason to freak out about it. From a report: Last year, Google announced some upgrades to Chrome, by far the world's most used browser -- and the one security pros often recommend. The company promised to make internet surfing on Windows computers even "cleaner" and "safer" adding what The Verge called "basic antivirus features." What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.

[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.

22 of 213 comments (clear)

  1. Inappropriate -- Why be secretive about it? by b0s0z0ku · · Score: 5, Insightful

    If there's nothing to hide and this is only scanning for viruses, why not notify users and GIVE THEM AN OPTION? Even if it's "only" an anti-virus, having one AV running on top of another tends to slow older hardware down.

    1. Re:Inappropriate -- Why be secretive about it? by b0s0z0ku · · Score: 4, Insightful

      No. It's not understandable AT ALL. Security updates can be mandatory, or at least highly encouraged. Forcing UI and compatibility changes on users without warning, without asking them, is completely unacceptable.

      MS's model isn't about security -- it's about control and monetization. The endgame is to gradually replace features with Store programs that require a monthly or annual payment...

    2. Re:Inappropriate -- Why be secretive about it? by dbialac · · Score: 5, Insightful

      But they disclosed they were sending all your files to them on paragraph 30328 sentence 204.

    3. Re:Inappropriate -- Why be secretive about it? by Penguinisto · · Score: 3, Insightful

      Understood, but that still doesn't provide the option to turn it off.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    4. Re:Inappropriate -- Why be secretive about it? by Rei · · Score: 2, Insightful

      It's worth remembering that the attack that led to the Shadow Brokers leaks involved AV sending scanned files under the guise of virus detections - and that the way it knew what to look for was that "files of interest" were presented as virus signatures.

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    5. Re: Inappropriate -- Why be secretive about it? by Anonymous Coward · · Score: 2, Insightful

      Because people are stupid.

      Ios has tons of spyware on it (see spybot search and destroy's category specifically for it). How many people are convinced that it's there is no issue in regards to privacy?

      You give a dialog box asking to do anything, the following will happen:
      - the end user barely understands but says yes.
      - they see the word virus and automatically assume that it's infested and freak out at every little thing.

      Am i defending Google? Not really. They should have mentioned what they're doing more publicly, even if it's outside the app

    6. Re: Inappropriate -- Why be secretive about it? by Anonymous Coward · · Score: 5, Insightful

      Nothing "cool and edgy" about it. As an IT security guy, I can tell you that Chrome is a privacy nightmare. Google is a very big danger, but people don't care because they're getting something for free, privacy be damned. Google, Facebook, virtually anything free leaves *you* as the product, not an actual customer. Again, nothing cool and edgy about taking the safer path. The path of Google, Facebook et al. is the path of the lemmings. Firefox is no longer the darling of the tech world, but it doesn't need to be. It's still the most customisable browser out there.

      Want a real eye-opening experience? Install a Raspberry Pi and a Pi-hole and watch the real-time DNS traffic as it exits your network. You would be gobsmacked by what is phoning home. Even your router is "phoning home" to entities besides the router OEM. This insight allows you to block via the Pi-hole, router, or both. Using a Pi-hole also cuts down on used bandwidth, because it blocks content at the DNS level, which means it doesn't even get called. Highly recommended.

    7. Re:Inappropriate -- Why be secretive about it? by Anonymous Coward · · Score: 0, Insightful

      Of course Chrome sends the files themselves to cloud to be scanned. Why else would they be accessing the files if they would not profit from it? Every single action they do is there to monetize their users and their data, just accept that or use the competitor.

  2. Re:Freaking out? by Actually,+I+do+RTFA · · Score: 5, Insightful

    It's perfectly reasonable to expect a legal framework to restrain what software Google runs on you computer. Installing Chrome shouldn't automatically install (and run) Google's anti-malware. And it certainly shouldn't be built into the application in a hidden way.

    --
    Your ad here. Ask me how!
  3. Re:Chrome is malware by b0s0z0ku · · Score: 4, Insightful

    Even if it's not actually dangerous, it certainly doesn't do good things for the speed of older hardware or heavily-loaded hardware. You bought the machine, you should own the CPU cycles.

  4. Web broser != virus checker by Anonymous Coward · · Score: 4, Insightful

    Why the f*ck is my web browser trying to be a virus checker? If i wanted that I would get a virus checker.

    This kind of idiocy, however well intended, is why we have computer f*cking about SWAP SWAP SWAP SWAP instead of getting on with useful tasks.

    1. Re:Web broser != virus checker by thegarbz · · Score: 3, Insightful

      Why the f*ck is my web browser trying to be a virus checker?

      Because the web is the single largest avenue for viruses to enter the system.

      The better question would be why the fuck not! It would be far more useful if virus checkers only monitored entry points on a system rather than performing a frigging crippling weekly scan > Mcafee on my work machine I'm looking at you, you're making my CPU fan spin.

  5. But then how will you know by future+assassin · · Score: 4, Insightful

    what item to buy from the next ad you see with out Google help. Come on Corptizen you want to do all the figuring out yourself and not have Google selects the right choice for you.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  6. Not okay by Anonymous Coward · · Score: 3, Insightful

    I've got AV, and I've got it set up how I want it, I don't need google deciding it needs to screw with my system just because I use their web browser.

    At the very least, it needs to be simple to opt out of, which it doesn't seem like it is.

  7. Re:Performance by PolygamousRanchKid+ · · Score: 2, Insightful

    Do I get to choose when it runs?

    Yes.

    You chose that, when you installed it.

    Don't want it to run . . . uninstall it.

    Although, even if you uninstall it . . . it will probably run anyway.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  8. The difference by duke_cheetah2003 · · Score: 4, Insightful

    Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of âuser-friendly software' that informs the policy for Chrome Cleanup [Tool].

    This is the difference between wanted security consciousness and hiding what you're doing to a customer's computer. Communication. If Google had come out and said they would add this to Chrome, before a security researcher came out with this information, no one would have cared or looked twice. It's all about communication. Tell people what you're up to, otherwise, we freak out and assume the worst.

  9. Re: Performance by Anonymous Coward · · Score: 2, Insightful

    So Chrome is virus scanning without permission. Where does it upload files when it finds something interesting? What else is it doing? Why not crypto mine as well? Perhaps it should enter your bank details and arrange for careful control of your finances. Just in case.
    These behaviours are inherently insecure because secrets are involved. Fun times ahead.

  10. This is why by 93+Escort+Wagon · · Score: 4, Insightful

    I only use Chrome for accessing sites which require it... or require Flash. Otherwise, I steer clear of Chrome.

    It's also an object lesson proving people right who've consistently argued that Chrome (on the Mac, at least) shouldn't be given the default admin permissions it asks for to "keep itself updated". It's true you shouldn't trust any company too much... but you really can't trust an advertising company to not put its hands in the cookie jar if you've placed it conveniently within their reach.

    --
    #DeleteChrome
  11. State of things by Sperbels · · Score: 5, Insightful

    Your ISP is collecting your data. Your OS is collecting your data. Your search engine is collecting your data. Advertisers are collecting your data. Your browser is collecting your data. The NSA knows what I'm thinking before I do. So now everyone knows the size of my bank account, my shoes, and my dick. Hardly seems worth all the trouble. We've created this huge surveillance network ostensibly so they can market shit to me. Yet, I ignore 99% of the advertising that I see. And the network is predictably (also predictedly) leaky as fuck. Several of my unique passwords and all my identity information is probably floating around in dozens of nefarious databases. Are we better off?

  12. VIRUS ALERT: Chrome has detected SHTSTORM64 by Anonymous Coward · · Score: 5, Insightful

    Let me ask a really stupid question.

    Imagine you were browsing the web minding your own business. Next thing you know all of the sudden your browser flips out opening windows warning you about viruses on your own computer would you believe it? For years we keep telling people not to fall for this shit.

    Now this... just the uncertainty / phishing leverage alone of browsers doing AV the mere fact this feature exists within a browser puts end users at massive unnecessary risk for no valid reason. Google could simply release a standalone virus scanner if they really gave a shit.

    Try Googling chrome and virus scanner.. The results speak to why doing this is a really really bad idea.

    My personal opinion every means by which data is exfiltrated requires some cloak of legitimacy. You can't just have shit rummage through everyone's computer for no reason. You'll be publically skewered and sued. There has to be a plausible enabling excuse hence the virus scanner nobody knows about. Oh look our scanner found something interesting ... there was no prompt asking the user whether they want their computer scanned in the first place so why does anyone think there would be a prompt before your data (or "metadata") starts getting uploaded to Google "for your own good" ?

    As you may have guessed I don't trust Google enough to run any of their software on my computer. Those who prefer Chrome should consider Chromium.

  13. Drop it like a hot potato. by MadMaverick9 · · Score: 4, Insightful

    Why don't people drop google, facebook, et al. like a hot potato?

    Because people are inert, hopelessly dependent on the system. They fight to protect it.

    That is why nothing will change.

    We don't need/want governments to enact laws (Macron, etc.).

    People need to look themselves in the ass and take their own lives into their own hands.

    Same with the new visa requirements for the US. Just don't go !!! Just don't do it !!! For crying out loud - how difficult can it be ?!?!?!

  14. Re:Yeah, right. by thegarbz · · Score: 4, Insightful

    pretty sure Google made the same assurances when they first started scanning everything in your Gmail account

    You have a rosy view of history. Google has pretty much said "all your data are belong to us" from the beginning of Gmail.