Update: Google has stated that they are working on a change to their system which will anonymize all data collected from their suggestion services (including Chrome) after 24 hours. This is exactly the sort of thing I was hoping for. Good job Google!
Update: Maybe Google’s new privacy policy isn’t good enough after all.
A friend of mine let me in on some info about Google’s secret Chrome project about 6 months ago but I didn’t get to actually try it till yesterday. I’m pretty impressed with some of their new innovative features like independent processes for tabs, compiled javascript, and the incognito mode.
But then I realized something huge. If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome will use the cookie of whatever Google account you are currently logged into.
No other browser that I know of uses an automatic search/suggest feature in the location bar. The location bar is where you type the address of the site you want to navigate to. Firefox uses a suggest feature in the search bar. It makes sense to do it there. Google.com now has auto suggest on their homepage. It makes sense there too. Now it makes sense to also have it in the location bar in terms of a nice helpful feature. But in terms of privacy I think this is a new low. I think Google should, at the least, not be sending your cookie out with these searches. But even then they could be connected to you by IP.
Don’t believe me? Go download the Wireshark packet sniffer and do some tests for yourself.
Now to be fair it seems they don’t auto suggest once you’ve typed “http://” but who actually types that anymore? There are also some timing issues, if you type really quickly and hit enter the auto suggest may not be attempted.
I’m sure there’s a team of Google data mining engineers somewhere who are giddy as shit about having all this information once Chrome becomes more widespread.
Update: Google responded to a CNET story about this issue regarding their data retention policy:
A Google representative told CNET News that the company plans to store about 2 percent of that data–and plans to store it along with the Internet Protocol address of the computer that typed it.
Update: As Rushi Vishavadia points out, the data will be sent to whatever search engine you set in the options. Of course it will default to Google but if you were to change it to Yahoo or MSN they would be receiving this data instead of Google.
Here’s an example of what Chrome is sending to Google while I’m typing the URL www.whatismyip.com into the location bar:
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=ww HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.what HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.c HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.co HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.com HTTP/1.1
Here’s an example when I’m typing the search query “how to cheat on taxes” into the location bar:
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+t HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+c HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+tax HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+taxe HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+taxes HTTP/1.1
Even if I never pressed enter to submit the above search to Google, they would still have this data and be able to link it to my account.
I should point out this feature can be disabled by going to Options -> Manage -> Uncheck “Use a suggestion …”
This is definitely going to strike fear into every person who looks at or type in sites they shouldn’t while using chrome. You know who you are, and you should be afraid. Afraid because whether you’re using chrome or not, you’re doing something bad. And that’s stupid. And eventually it will make you sad. And being sad is scary. Here’s a tip, don’t do bad things.
Comment by Ryan — September 3, 2008 @ 5:33 pm
What is “bad”?
You don’t do bad things do you?
Your opinion about right and wrong is just and correct and not subject to ridicule, or penalty?
It’s easy to pass judgement when you are pefect, eh?
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:45 pm
That will happen with any search engine you use with Chrome. You can use MSN Live or Yahoo Search with Chrome as well.
Comment by Rushi Vishavadia — September 3, 2008 @ 5:46 pm
@Ryan: you’re right.
Let’s just live in fear, it’s a lot easier that way.
Comment by V2 — September 3, 2008 @ 5:53 pm
I am sure Ryan doesn’t do “bad” things just like google “does no evil”.
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:47 pm
IE is going to offer users a chance to set IE to “private”, which will block Google’s Adwords advertising then Google Chrome born. Google Chrome is clean and fast. But I love Firefox.
Comment by Thai SEO — September 3, 2008 @ 6:06 pm
It’s the same as Google Docs so, meh.
Comment by Rob — September 3, 2008 @ 6:23 pm
So what you are telling me is that I can overload google’s data miners by writing an app that will do pointless searches all day. Then I can pass this app on to everyone else who has virtually unlimited internet. Do you think they limit it to a max # of times per IP?
Comment by Zach — September 3, 2008 @ 6:36 pm
It doesn’t “default to Google” it actually defaults to whatever your previous browser setting was. BTW Firefox 3.0 and 3.1 do this as well, it’s nothing new.
Comment by ppilatee — September 3, 2008 @ 10:08 pm
this isn’t that scary at all. there’s only one way to make recommendations as you type – and that’s to submit the data as it’s being typed. this happens in firefox, IE, and safari if you use pretty much any modern search feature on most popular webpages.
i’d be more scared if this was happening while I was typing in a textbox like the one i’m using now to make this comment…
Comment by mjg — September 3, 2008 @ 11:06 pm
What do you think AJAX is for you noob?
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:48 pm
@mjg: I think you missed the part where this is happening in the location bar. The place where you usually type the URL of websites. In all other browsers this happens in the search bar, not the location bar. All other browsers won’t send the URLs you type into the location bar to a search engine for suggestions, but that is what is occurring now with Chrome.
Comment by coderrr — September 3, 2008 @ 11:37 pm
And when you click through on a search result on Live Search, Yahoo, Google, Amazon, Wikia, etc., the Web site you click through gets recorded on their servers.
I don’t see where you’re going with this. Yes, the browser is sending data to be used to aggregate suggestions. And yes, the address bar and the search bar are the same in Chrome. But this kind of aggregated anonymized data is very *very* old stuff. Yahoo’s been doing it for years. You just happened to notice this kind of conventional technology with this browser.
Comment by PZ — September 4, 2008 @ 2:13 am
on “anonymized”
It does not matter “who eats the peanut in home”. For a peanut seller knowing “some one in home eats the peanut” is sufficient to start selling peanut.
Same with google, google as a web super power is molding web’s direction only with business in mind. Example Adwords.
Comment by freecheese — September 4, 2008 @ 6:35 am
>> It doesn’t “default to Google” it actually defaults to whatever your previous browser setting was. BTW Firefox 3.0 and 3.1 do this as well, it’s nothing new.
Google toolbar started it.
Comment by Anonymous — September 4, 2008 @ 6:50 am
>>It doesn’t “default to Google” it actually defaults to whatever your previous browser setting was. BTW Firefox 3.0 and 3.1 do this as well, it’s nothing new.
Google toolbar started it.
Comment by freecheese — September 4, 2008 @ 6:50 am
This is just ur last option to find some controversy out of this.. Nothing else. This is something what most of the modern browsers do now.. (not sure about Ie8)… There is nothing to fear about if u don’t have a criminal cyber-life…
Comment by Abey — September 4, 2008 @ 7:00 am
[...] Ketiga : Mungkin Ini mengagetkan. [...]
Pingback by Serangan Balik Firefox « Teknologi [tidak] harus canggih — September 4, 2008 @ 7:09 am
[...] A warning: privacy problem could be worse that you imagine. [...]
Pingback by ABOUT THE CHROME « RICELANDER’S BLOG — September 4, 2008 @ 7:14 am
To me the automatic search/suggest feature could potentially be a windfall for Google, especially as it launches an ad publishing network and ad exchange. The ability to steer traffic to sites running Google AdSense, and to be able to optimize that traffic based on the eCPM of the sites in that network, creates an incredible ability to drive traffic based upon the same Google optimization engine used for AdWords. This is a great thing for Google, but may be a suboptimal solution for users.
This clearly eliminates the middle man in Google’s path to unfettered access to as much data as Google’s thousands of servers can process and leverage in it’s desire to deliver more “relevant” ads. Please, since when did relevant ads have value. Relevant content and news, great. Relevant ads are the creation online advertisers and those who are willing to continue to drink that kool-aid.
You may also want to read the privacy policy associated with the install, prior to the install. It’s pretty telling.
Comment by vallen — September 4, 2008 @ 7:48 am
You can easily turn off the autocomplete.
Go to Options, then click to Manage default search and then untick the checkbox marked “Use a suggestion service to autocomplete searches and URLs typed in the address bar”
Comment by John — September 4, 2008 @ 8:20 am
Why does it need to be “turned off” by default? By default you should be 100% protected and OPT IN for such things.
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:50 pm
OH MY GOD!! TERRORISTS ALERT!!!!
Comment by Marcio — September 4, 2008 @ 8:48 am
[...] Днес видях това: Google Chrome privacy worse than you think, малко е малко много плашещо [...]
Pingback by Google Chrome: 2ри ден | NeXt — September 4, 2008 @ 8:54 am
its scary anyway.. so I’m not going to install chrome.
Comment by Eike — September 4, 2008 @ 10:40 am
its scary anyway.. so I’m not going to install chrome.
Comment by Eike — September 4, 2008 @ 10:41 am
I love FF, and will stick to it. Chrome is a fad will pass away, unless Google does something evil.
Comment by chirax — September 4, 2008 @ 2:34 pm
This IS Evil! You know, for years sites like Scroogle have been warning everyone about the really questionable business practices going on over at Google – and their incredibly tongue in cheek Mission Statement “Do No Evil”. Google needs to switch from their ad based corporate philosophy to more of a bank one. There are ways to target folks with appropriate ads without all of this intrusive spyware, and don’t even think of arguing with me here, this IS Spyware! In fact 90% of their products feature spying and data mining storage with virtually no expiration date. I used to think Microsoft’s Privacy Policy was bad – no more. Google now tops the list of worst privacy violator with Chrome. SHAME ON YOU GOOGLE! Put our Privacy FIRST from now on, ads second, or you ARE going to lose ALL of your customer base. For Privacy is OUR first concern. Doubt it? Put out one more product like this and watch your public turn on you like hyenas with the smell of fresh blood in their noses.
Comment by M.E. — September 4, 2008 @ 3:03 pm
I recently changed my search provider to Scroogle Scraper and recommend it for everyone if you like the search results, but your privacy as well.
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:51 pm
[...] resolve some of their issues. Google’s url bar is also a search bar and suggests urls. This information is then connected with your IP address and passed along to Google. If you’re viewing chan, slash, sexually explicit fanart, this [...]
Pingback by Fan History » Blog Archive » Google Chrome and fandom — September 4, 2008 @ 5:08 pm
Hello,
Nice post, by the way if you want to have more information about Google Chrome Easter Eggs, Secrets and the funny Google Chrome Crasher…. just check this post >> http://hostintruder.wordpress.com/2008/09/03/google-chrome-superpower-browser/
You will have a detail description of Google Chrome.
Bye.
Comment by hostintruder — September 4, 2008 @ 5:25 pm
This sounds like that they want to know everyone’s every move. It can be good and bad. The good side is they could monitor people that could be a threat, the bad side is that they know everything you do.
Comment by austingndr — September 4, 2008 @ 6:34 pm
Has anyone else been successfully able to actually turn off the auto suggest feature? I have read the instructions and unchecked that box, but it does not work and they still continue to fill in suggestions. Was just curious if this is just my computer or if others have been successful in turning if off?
Comment by RLF — September 4, 2008 @ 6:43 pm
ah, screw it. google already KNOWS everything I’ve ever done. If you want to be anonymous use a proxy, or better yet – don’t get on the internet.
zach – yes. google DOES limit the # of queries you can do in a day. I’m booted off several times a week.
Comment by floridaforeclosure — September 4, 2008 @ 7:23 pm
[...] com o servidor enquanto digita uma simples URL como a “www.whatismyip.com” Confira no post original outras análises. GET /complete/search?client=chrome&output=chrome&hl=en-US&q=ww [...]
Pingback by Google Chrome e a Privacidade | Conexões — September 4, 2008 @ 7:34 pm
[...] As Rushi Vishavadia points out, the data will be sent to whatever search engine you set in the options. Of course it [...]
Pingback by Google Chrome privacy worse than you think « TJ Marsh’s Weblog — September 4, 2008 @ 9:32 pm
…err. This is not a privacy issue at all. Those data collected by Google are stored on an indexing machine and will be used as search queries. After that, they’ll be deleted. Anyway, your IP address and private information isn’t sent. Just the search queries. These things are the same data sent to Google when you search for something using their main web page — or if you use Firefox search.
Comment by Francis Panganiban — September 4, 2008 @ 11:09 pm
[...] Coderrr Blog has some examples of requests sent to Google’s servers. It’s pretty [...]
Pingback by Google Chrome Security, Privacy, Technical Issues | Cow's Blog — September 5, 2008 @ 12:27 pm
Thanks for this info. I’ve added it to a growing list of Google Chrome features and issues.
Comment by Matt — September 5, 2008 @ 3:34 pm
so what’s the difference between spyware and this? will anti-spyware / anti-virus tools warn you when you use google chorme?
Comment by one — September 6, 2008 @ 4:53 pm
[...] In der Adresszeile aber ist es das nicht. Was da nämlich bei der Eingabe von Adressen abgeht, wurde hier schön im Detail dargestellt. Und: Sowas macht der FireFox eben nicht. Der IE auch nicht. Und zu vergleichen ist das, was da [...]
Pingback by Sorry: Nochmal Chrome und Spreeblick | Datenschutz-Blog — September 6, 2008 @ 6:12 pm
Chrome is Free Software. If people have a problem with this behavior you can be assured that it will be forked. Google just wants to get the technology out there and inspire improvement and standards compliance in browsers so that people can use their apps so they can continue to challenge Microsoft. Google isn’t really counting on Chrome to report back everything you do.
Comment by Tracy Reed — September 7, 2008 @ 2:55 am
so a friend, or was it a movie, once said “location location location” concerning real estate.. or was it nipple clamps..?
when dealing with major statements, these being corporate, government, or basically someone you know you cannot generally trust, it all boils down to details details details. DETAILS MF!
“A Google representative told CNET News that the company plans to store about 2 percent of that data–and plans to store it along with the Internet Protocol address of the computer that typed it.”
clear definition of 2%? anything that is typed into the bar? just urls? just requests for searches? etc etc.
so it’s storing out ip too? again, for which requests? further, can we influence the storing? opt out perhaps?
dont be evil is so laughable. google is nearlz as bad as ms or apple – onlz they actually effing provide.
i am truly unhappy with the general situation.
Comment by eltaco — September 7, 2008 @ 3:01 am
Even if Google weren’t misusing it would still be evil, since the data is sent as unencrypted GET. This means that every provider en route to Google could potentially see what you type.
With the current structure of the Internet, such features need to be client side only.
Comment by Some Bloke — September 7, 2008 @ 8:06 am
[...] emergence and success of Firefox, has now officially begun. I think Google Chrome is rather a huge social experiment than a browser – what’s more important, your privacy or the (second) best [...]
Pingback by Google Chrome at GraBlog — September 7, 2008 @ 9:38 am
Some Bloke: “Even if Google weren’t misusing it would still be evil, since the data is sent as unencrypted GET. This means that every provider en route to Google could potentially see what you type.”
Um, yeah- what do you think happens when you actually do a web search? That’s right- the data gets sent to the search engine, unencrypted.
Comment by 34 — September 8, 2008 @ 4:09 am
Not if you use Scroogle Scraper’s SSL version.
Wake up! Don’t be so absolute in your beliefs.
Comment by Increase Search Engine Ranking — May 2, 2009 @ 4:58 pm
[...] the Coderr blog, says Google Chrome’s privacy is “worse than you think.” He explains: They (Google) [...]
Pingback by Privacy issues raised over Google’s Chrome browser | PinOy SPY! — September 8, 2008 @ 1:22 pm
Pretty scary. But maybe Google somehow now has the bad image Microsoft had when they took over Netscape. So people (especially those who care) won’t use Chrome. Instead they tend to the great alternatives such as Safari, Konqueror, iCab, Firefox, Mozilla, …
Comment by flöschen — September 8, 2008 @ 6:12 pm
I’m using a program similar to Wireshark and with Incognito mode activate (Ctrl+Shift+N), Chrome doesn’t send out any http packets while typing in the address bar.
Comment by P120D1GY — September 8, 2008 @ 11:50 pm
Also, Firefox sends out data as well when using the search field next to the address bar. Try Google, Yahoo, Answer.com, etc. Most of the search providers that come with the default install of Firefox 3 will query the providers web-service to return relevant results.
Comment by P120D1GY — September 8, 2008 @ 11:54 pm
> I should point out this feature can be disabled by going to Options -> Manage -> Uncheck “Use a suggestion …”
Before I go absolutely insane with paranoia, could someone PLEASE verify that this checkbox actually works as intended.
On my Win2k3 SP2 machine chrome keeps baking cookies and suggesting things, even in incognito mode.
Comment by Rydell Stevens — September 9, 2008 @ 5:57 am
[...] lusty desires from life partners; many privacy advocates state that Google will have insight into anyone’s Web browsing habits, Web searches, e-mail, contacts, photos, GPS and location all at a click of a button. Now, this is [...]
Pingback by The Web is Not an OS (or a Series of Tubes) • DygiScape — September 9, 2008 @ 10:17 pm
You’re still missing the point from this article. If you’re looking for something and you press the link and gets recorded, well at least you know it’s being recorded and never click on something suspicious.
Let’s say for example, I’m looking for a song to download or a crack to test the full features of a software before I buy it, If I’m looking that up in a search engine, they’ll know about me since this is illegal. But If I already know the website I need to access and I’m typing it in my browser’s address bar, I don’t want them to know about it.
This is just one example of privacy invasion. In addition to the fact that I don’t want to allow them to record my URLs, searches, etc.
Comment by Ronny Karam — September 10, 2008 @ 3:06 pm
[...] Einen interessanter, englischer Blogeintrag dazu ist Google Chrome privacy worse than you think. [...]
Pingback by InvulBlog» Blogarchiv » Google Un/Chrome — September 11, 2008 @ 8:14 pm
[...] klein wenig anders als Chrome, wo jedes eingegebene Zeichen in der Adresszeile bei Google landet (nochmal der Link wie das genau aussieht). Man mag darüber streiten, ob es jetzt schön ist, dass es dieses Verfahren gibt und dass es von [...]
Pingback by FireFox telefoniert nicht wie Chrome | Datenschutz-Blog — September 12, 2008 @ 12:11 pm
[...] Google Chrome no respeta mucho la privacidad de los usuarios: En fin, espero que saquen versiones modificadas (lo bueno del software abierto :) o "plugins" para desactivarlo. [...]
Pingback by Noticias 14-Septiembre-2008 - La Web de Programación — September 14, 2008 @ 5:55 pm
[...] Plus d’info sur la maniere dont Google Chrome espionne en micro detail toute votre navigation (malgre le fait [...]
Pingback by Le vrac du lundi — September 15, 2008 @ 11:23 am
[...] Google Chrome privacy worse than you think coderrr [...]
Pingback by Google Chrome privacy worse than you think « Barangay RP — September 16, 2008 @ 1:05 pm
wow, amazing thx for the info, wouldn’t have known about this otherwise
Comment by kingdom media — September 16, 2008 @ 10:18 pm
Maybe this will help?
http://www.softarchive.net/internet_tools/google_chrome_privacy_pack_v:97689.html
Comment by ali — September 18, 2008 @ 7:05 am
[...] information more accessible can only be good (even to the point of surveillance). But Google gets scarier every day, and it has bought YouTube. Wikipedia’s still good, but it will never be anything but a mess. [...]
Pingback by The Uses of Free Culture | The Row Boat by Nathan Schneider — October 1, 2008 @ 4:07 am
[...] AdPlanner and Chrome’s privacy issues won’t be on the agenda, but I’m all for our monarch getting to grips with how her [...]
Pingback by Her Royal Blogness : ShinyRed — October 16, 2008 @ 9:52 am
I discovered a major privacy vulnerability in Google Toolbar. Most people know that to clear your search history, you click “clear history” in the drop-down menu that appears under the search box. But this only clears your WEB search history! What people don’t know is that there is a separate search history for Google Images, Google News, Google Groups, etc. These additional histories DO NOT CLEAR when you clear your web search history! If you click on the little square icon with a ‘G’ on the inside left of the search box, you can switch the search function to images, news, maps, groups, etc. The little square icon will change when you do this, and the search history for EVERYTHING YOU HAVE EVER TYPED will be available for those search types, no matter how many times you have cleared the web search history! The “clear history” option is not global!
So, if you have ever searched Google Images, Google Groups, Google News, etc and have not cleared the history list for each one, everything you have ever searched for in those is still available for anyone to view.
Comment by anonymous — October 28, 2008 @ 7:43 pm
[...] know the google lovers say “CHROME!” but after reading the privacy policy, I can’t handle it. Opera is years more refined and has the options I need. I do miss noscript, [...]
Pingback by Jay R. Wren - lazy dawg evarlast » Blog Archive » I Use Opera — November 4, 2008 @ 12:25 am
thanks for the article. pay no attention to the disinformation trolls here telling you this is no big deal. they are hired writers that work for PR. they say no big deal. blah, blah, blah. but if it wasn’t a big deal, then you wouldn’t see so much energy spent on trying to convince you that this isn’t a breach of privacy.
Comment by tadair — November 11, 2008 @ 4:55 pm
Can’t say I’m worried, let them know that I download songs and watch movies, they can kiss my ass, try and prove it was me and not a hacker accessing my wireless modem, my computer will be smashed in my bath tub as soon as I see those ‘vans’ pull up, lol. Mmmkay??
Comment by RoflCopterz — December 2, 2008 @ 7:35 pm
I love FF, and will stick to it.
Comment by leather beds — December 7, 2008 @ 8:49 pm
Hey you all who think this is nothing to worry about:
THIS IS HOW THE FUTURE IS BEING SHAPED. You yourselves are taking part in creating the possible Orwellian control state. If your kids could go back in time from 2050 to this day to witness your statements now, what do you think they would think of you?
Comment by Zimba — December 19, 2008 @ 7:38 am
Feel free to have a look at http://goit-postal.blogspot.com/2008/12/google-chrome-without-data-sniffing.html – a browser fork named Iron is out there and it has no “data features” included… ;-)
P.S.: The so called “privacy packs” do not really help afaik.
Comment by Georgi — December 22, 2008 @ 12:48 pm
The situation is not as worse as it is listed here…..I hope…!!!with the final release..
Comment by krishna — December 27, 2008 @ 5:04 pm
Personally I’m still sticking with Firefox, mainly because of all it’s addons. I like what I’ve seen of Google Chrome, and will probably give it another go once it is out of beta (All Google software comes out of beta eventually, doesn’t it? :P)
Comment by mark — January 6, 2009 @ 2:58 am
Actually, the firefox I have uses the Google Suggest.
Oh well, there goes that crazy rant.
Comment by myron — February 1, 2009 @ 12:17 pm
With firefox beginning to suck (no offence, I was a die-hard FF fan until I updated TO 3.0) and chrome with privacy concerns, this is beggining to get a little worrisome.
Comment by Rear Guy — February 2, 2009 @ 7:30 pm
it is a very nice desine
Comment by Bob — April 19, 2009 @ 2:01 pm
[...] a browser based on Chromium code base. Iron uses the latest of webkit and ensures that some of the privacy issues associated with Google Chrome are not present. It uses the same user interface as Google Chrome so [...]
Pingback by Chrome is Good, but how about some Iron? — Digital Rover — June 28, 2009 @ 3:26 am