Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Is Scanning Files on Your Computer, and People Are Freaking Out (vice.com)

Posted by msmash on from the privacy-woes dept.

Some cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware. But there's no reason to freak out about it. From a report: Last year, Google announced some upgrades to Chrome, by far the world's most used browser -- and the one security pros often recommend. The company promised to make internet surfing on Windows computers even "cleaner" and "safer" adding what The Verge called "basic antivirus features." What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.

[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.

27 of 213 comments (clear)

  1. Inappropriate -- Why be secretive about it? by b0s0z0ku · · Score: 5, Insightful

    If there's nothing to hide and this is only scanning for viruses, why not notify users and GIVE THEM AN OPTION? Even if it's "only" an anti-virus, having one AV running on top of another tends to slow older hardware down.

    1. Re:Inappropriate -- Why be secretive about it? by b0s0z0ku · · Score: 4, Insightful

      No. It's not understandable AT ALL. Security updates can be mandatory, or at least highly encouraged. Forcing UI and compatibility changes on users without warning, without asking them, is completely unacceptable.

      MS's model isn't about security -- it's about control and monetization. The endgame is to gradually replace features with Store programs that require a monthly or annual payment...

    2. Re:Inappropriate -- Why be secretive about it? by dbialac · · Score: 5, Insightful

      But they disclosed they were sending all your files to them on paragraph 30328 sentence 204.

    3. Re:Inappropriate -- Why be secretive about it? by theweatherelectric · · Score: 4, Informative

      Do that many people really use Chrome as their browser of choice?

      Yes.

    4. Re: Inappropriate -- Why be secretive about it? by Anonymous Coward · · Score: 5, Insightful

      Nothing "cool and edgy" about it. As an IT security guy, I can tell you that Chrome is a privacy nightmare. Google is a very big danger, but people don't care because they're getting something for free, privacy be damned. Google, Facebook, virtually anything free leaves *you* as the product, not an actual customer. Again, nothing cool and edgy about taking the safer path. The path of Google, Facebook et al. is the path of the lemmings. Firefox is no longer the darling of the tech world, but it doesn't need to be. It's still the most customisable browser out there.

      Want a real eye-opening experience? Install a Raspberry Pi and a Pi-hole and watch the real-time DNS traffic as it exits your network. You would be gobsmacked by what is phoning home. Even your router is "phoning home" to entities besides the router OEM. This insight allows you to block via the Pi-hole, router, or both. Using a Pi-hole also cuts down on used bandwidth, because it blocks content at the DNS level, which means it doesn't even get called. Highly recommended.

  2. Performance by Translation+Error · · Score: 5, Interesting

    And what kind of performance hit do I suffer when this happy surprise software runs on my older computer? Do I get to choose when it runs?

    --
    When someone says, "Any fool can see ..." they're usually exactly right.
    1. Re:Performance by reboot246 · · Score: 5, Interesting

      A better question is, have they actually found any viruses? And, if they have found any, have they let the user know about it or have they just quietly deleted it?

      An anti-virus that has been running for a year on millions of computers surely has found something by now. If not, then why run it at all?

      Any answers, Google?

  3. Freaking out? by 110010001000 · · Score: 5, Interesting

    Why are people freaking out? You let Google run whatever software they want on your computer. They might be reading all your files and sending them to their servers. How would you know? If you care, why would you run Chrome? What a mess this industry is in now. People should have listened to Stallman. Instead we have "open source" Chrome and Android.

    1. Re:Freaking out? by Actually,+I+do+RTFA · · Score: 5, Insightful

      It's perfectly reasonable to expect a legal framework to restrain what software Google runs on you computer. Installing Chrome shouldn't automatically install (and run) Google's anti-malware. And it certainly shouldn't be built into the application in a hidden way.

      --
      Your ad here. Ask me how!
  4. Chromium, too? by koavf · · Score: 4, Interesting

    Does anyone know if current builds of Chromium do this?

  5. Re:Chrome is malware by b0s0z0ku · · Score: 4, Insightful

    Even if it's not actually dangerous, it certainly doesn't do good things for the speed of older hardware or heavily-loaded hardware. You bought the machine, you should own the CPU cycles.

  6. Web broser != virus checker by Anonymous Coward · · Score: 4, Insightful

    Why the f*ck is my web browser trying to be a virus checker? If i wanted that I would get a virus checker.

    This kind of idiocy, however well intended, is why we have computer f*cking about SWAP SWAP SWAP SWAP instead of getting on with useful tasks.

  7. But then how will you know by future+assassin · · Score: 4, Insightful

    what item to buy from the next ad you see with out Google help. Come on Corptizen you want to do all the figuring out yourself and not have Google selects the right choice for you.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  8. Fixed in /etc/hosts by Drunkulus · · Score: 4, Informative

    0.0.0.0 *.scorecard.*[net,org,com,biz,*]

  9. The difference by duke_cheetah2003 · · Score: 4, Insightful

    Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of âuser-friendly software' that informs the policy for Chrome Cleanup [Tool].

    This is the difference between wanted security consciousness and hiding what you're doing to a customer's computer. Communication. If Google had come out and said they would add this to Chrome, before a security researcher came out with this information, no one would have cared or looked twice. It's all about communication. Tell people what you're up to, otherwise, we freak out and assume the worst.

  10. How about I go to Google and scan their offices? by JoeyRox · · Score: 5, Funny

    They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things. No need to panic - I have only good intentions at heart. What, you didn't think a chef should also double as your security detail?

  11. not trusting google by arbiter1 · · Score: 4, Interesting

    I use Eset and purchase their antivirus software on a reg basis and i trust them but i don't for life of me Trust that google is only "scanning for virus's". Given how recent revelation I heard how good pretty much will track gps of where you been and save it for years. Also if sites you visit even when using incognito mode, only thing this tells me its harvesting more info on end users. this video kinda tells you exacty what they collect about you on a reg basis and its kinda scary: https://youtu.be/Ke1gViMc2dY?t...

  12. This is why by 93+Escort+Wagon · · Score: 4, Insightful

    I only use Chrome for accessing sites which require it... or require Flash. Otherwise, I steer clear of Chrome.

    It's also an object lesson proving people right who've consistently argued that Chrome (on the Mac, at least) shouldn't be given the default admin permissions it asks for to "keep itself updated". It's true you shouldn't trust any company too much... but you really can't trust an advertising company to not put its hands in the cookie jar if you've placed it conveniently within their reach.

    --
    #DeleteChrome
  13. State of things by Sperbels · · Score: 5, Insightful

    Your ISP is collecting your data. Your OS is collecting your data. Your search engine is collecting your data. Advertisers are collecting your data. Your browser is collecting your data. The NSA knows what I'm thinking before I do. So now everyone knows the size of my bank account, my shoes, and my dick. Hardly seems worth all the trouble. We've created this huge surveillance network ostensibly so they can market shit to me. Yet, I ignore 99% of the advertising that I see. And the network is predictably (also predictedly) leaky as fuck. Several of my unique passwords and all my identity information is probably floating around in dozens of nefarious databases. Are we better off?

  14. Re:Yeah, right. by CanHasDIY · · Score: 4, Interesting

    You know they are remotely storing metadata about what it scans.

    This; pretty sure Google made the same assurances when they first started scanning everything in your Gmail account... wasn't long before "we're just checking for viruses" turned in to "all your data is belong to us."

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  15. Re:Chrome is malware by Rockoon · · Score: 4, Informative

    Even if it's not actually dangerous, it certainly doesn't do good things for the speed of older hardware or heavily-loaded hardware.

    The reduced longevity of a constantly reading spinning platter hard drive comes to mind also.

    Dear Google. Dont destroy my hardware. K. TX.

    --
    "His name was James Damore."
  16. The setting is NOT persisted across restarts by nadass · · Score: 5, Informative

    In the settings page, chrome://settings/cleanup

    The option is "Report details to Google" and it defaults to being Checked. When I uncheck it, then eventually shut down the Chrome process (on Windows), then restart Chrome and verify its status, it remains as Checked.

    So, essentially, this option cannot be disabled except MAYBE momentarily. Is it a feature or a bug?

  17. Sandbox model by Tablizer · · Score: 4, Interesting

    It should be up to the user to decide what a given application has access to outside of standard binaries and user-app-data folder sets. If one wants an app to have access to stuff outside of those, then it should be an OS-level setting, not something the app decides, similar to a fire-wall.

    If the app wants to show a tutorial to users for how to config their "folder fire-wall" to allow an app to outside of the sandbox, that's fine, but it should be outside of the app's control still.

    --
    Table-ized A.I.
  18. VIRUS ALERT: Chrome has detected SHTSTORM64 by Anonymous Coward · · Score: 5, Insightful

    Let me ask a really stupid question.

    Imagine you were browsing the web minding your own business. Next thing you know all of the sudden your browser flips out opening windows warning you about viruses on your own computer would you believe it? For years we keep telling people not to fall for this shit.

    Now this... just the uncertainty / phishing leverage alone of browsers doing AV the mere fact this feature exists within a browser puts end users at massive unnecessary risk for no valid reason. Google could simply release a standalone virus scanner if they really gave a shit.

    Try Googling chrome and virus scanner.. The results speak to why doing this is a really really bad idea.

    My personal opinion every means by which data is exfiltrated requires some cloak of legitimacy. You can't just have shit rummage through everyone's computer for no reason. You'll be publically skewered and sued. There has to be a plausible enabling excuse hence the virus scanner nobody knows about. Oh look our scanner found something interesting ... there was no prompt asking the user whether they want their computer scanned in the first place so why does anyone think there would be a prompt before your data (or "metadata") starts getting uploaded to Google "for your own good" ?

    As you may have guessed I don't trust Google enough to run any of their software on my computer. Those who prefer Chrome should consider Chromium.

  19. I would only run ... by Anonymous Coward · · Score: 4, Interesting

    I would only run Chrome browser in a virtual machine to test websites I develop. Otherwise, I simply do not use it. IMHO, it likely spyware with a browsing feature. I confounds me is that most people use it as their main browser, as if the Google spy-widgets in half the sites out there aren't enough for them.

    While Windows is of late too snoopy by default (if you switch to Basic it collects mostly hardware spec stuff which it's been doing since it offered updating back in the 1990s or XP), it would be very reasonable to assume Google and Facebook has far far (far far far) more on folks than Windows and Microsoft ever will.

    Moreover, if one chooses and configures carefully, one can shut off the excessive telemetry stuff (yes you can) and still use from the Windows 10 family of operating systems relatively privately at least at the computer and operating system side.

    I have many of Google's snoopy URLs deadsunk in a hosts file, and FB completely deadsunk except on one computer. They are in the business of snooping in a way Apple and Microsoft are not. So be wary of Google and Facebook. They are trying to be everywhere online watching what you do.

    But to use Chrome !? As your browser !? Are you a dupe !? You've got to be kidding!

  20. Drop it like a hot potato. by MadMaverick9 · · Score: 4, Insightful

    Why don't people drop google, facebook, et al. like a hot potato?

    Because people are inert, hopelessly dependent on the system. They fight to protect it.

    That is why nothing will change.

    We don't need/want governments to enact laws (Macron, etc.).

    People need to look themselves in the ass and take their own lives into their own hands.

    Same with the new visa requirements for the US. Just don't go !!! Just don't do it !!! For crying out loud - how difficult can it be ?!?!?!

  21. Re:Yeah, right. by thegarbz · · Score: 4, Insightful

    pretty sure Google made the same assurances when they first started scanning everything in your Gmail account

    You have a rosy view of history. Google has pretty much said "all your data are belong to us" from the beginning of Gmail.