Google was downloading audio listeners onto computers without consent before the bug was fixed, Rick Falkvinge, founder of the Pirate Party has claimed.
Falkvinge alleged that Google listened into the conversations of users of Chromium without consent, through a ‘black box’ of code.
The 'black box' code was downloaded to enable a feature that activates a search function when you say "Ok, Google," however the code appears to have enabled eavesdropping on conversations prior to this – in order to hear the phrase. The software is able to transmit audio data back to Google, but Google claim the code was merely downloaded without consent and knowledge, not activated. On Monday, Debian maintainer Michael Gilbert said that the bug has been fixed, and the latest version of the Chromium package will no longer download the Hotword code by default.
In response, some users questioned whether Google should be trusted as an upstream contributor to the Debian project following the incident, saying that the project needs security measures and stricter controls as the source for Google’s Chrome web browser. Falkvinge wrote: "Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed [the] audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised.
"We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted." Chromium is an open-source project from which Google Chrome draws its source code. Debian user Yoshihito Yoshino first reported the security bug in May, after noticing suspicious network activity from Chromium 43, the most recent stable release of the open source version of the Chrome browser.
"After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading 'Chrome Hotword Shared Module' extension, which contains a binary without source code," Yoshino wrote. "There seems no opt-out config."