Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Privacy

Chrome Is Scanning Files on Your Computer, and People Are Freaking Out (vice.com) 213

Some cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware. But there's no reason to freak out about it. From a report: Last year, Google announced some upgrades to Chrome, by far the world's most used browser -- and the one security pros often recommend. The company promised to make internet surfing on Windows computers even "cleaner" and "safer" adding what The Verge called "basic antivirus features." What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.

[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.

This discussion has been archived. No new comments can be posted.

Chrome Is Scanning Files on Your Computer, and People Are Freaking Out

Comments Filter:
  • by b0s0z0ku ( 752509 ) on Monday April 02, 2018 @03:47PM (#56368959)
    If there's nothing to hide and this is only scanning for viruses, why not notify users and GIVE THEM AN OPTION? Even if it's "only" an anti-virus, having one AV running on top of another tends to slow older hardware down.
    • by future assassin ( 639396 ) on Monday April 02, 2018 @03:56PM (#56369017)

      what item to buy from the next ad you see with out Google help. Come on Corptizen you want to do all the figuring out yourself and not have Google selects the right choice for you.

    • by dbialac ( 320955 ) on Monday April 02, 2018 @04:17PM (#56369133)
      But they disclosed they were sending all your files to them on paragraph 30328 sentence 204.
    • by Anonymous Coward

      Because people are stupid.

      Ios has tons of spyware on it (see spybot search and destroy's category specifically for it). How many people are convinced that it's there is no issue in regards to privacy?

      You give a dialog box asking to do anything, the following will happen:
      - the end user barely understands but says yes.
      - they see the word virus and automatically assume that it's infested and freak out at every little thing.

      Am i defending Google? Not really. They should have mentioned what they're doing more

    • by stooo ( 2202012 )

      Google found out a way to legitimize this kind of crap :
      https://malwaretips.com/blogs/... [malwaretips.com]

      Seriously, google, WTF ?
      We did not ask for your snake oil AV, only for a browser.

    • by mysidia ( 191772 )

      There's a good reason not to give users an option to disable anti-malware functionality.
      (1) When it comes to malware defense; it is necessary to try to protect users against themselves, because end users are the problem, in fact.

      (2) If an advanced preference setting is available such as under chrome://flags; malware will simply hook the browser and turn off the feature.

      (3) If a secure UI is available in an easy to find place, then errant users will switch it off -- or follow poorly conceived "trouble

      • Wrong as usual - you're assuming that the software operates perfectly and doesn't interfere with any other software on the computer. MOST anti-malware software can be turned off, and it's designed in a way that can't just be "hooked" by malware.

        Also, not all IT-managed environments use an AD login -- not all companies can afford Windows Server or need its functionality. The tech industry doesn't need more paternalism like yours.

        • by mysidia ( 191772 )

          Also, not all IT-managed environments use an AD login -- not all companies can afford Windows Server or need its functionality.

          I say must use AD Group Policy, BECAUSE that is existing behavior --- that is: it is the stance Chrome already takes to all
          Administratively-definable settings: Chrome has a group policy template, but all Policy settings will be ignored unless the
          user is logging into a domain, and the settings are defined by a GPO: There is one alternative way to enforce policies in Chro

      • You're making *huge* assumptions here, which, to be fair may be true for your own situation.

        On the other hand, I regularly have to install legitimate and mandatory software that fails unless I turn off AV during the installation process or "exempt" it as an exception. Big projects requiring extreme focus are often done on a weekend because that's the only time a team can work without constant bureaucratic distraction. Many of the Service Desks or people authorized to alter group policy to allow disabling o

        • by mysidia ( 191772 )

          I regularly have to install legitimate and mandatory software that fails unless I turn off AV during the installation process

          Have you stopped to consider why that might be? None of that applies to what Chrome is doing which is background file scanning, and if you Exit/Quit all Chrome windows/processes, that's equivalent to "Pausing/Holding off AV" --- Chrome runs with normal user permissions. System Antivirus which is different install disruptive system services that require Administrator acces

    • Most of these companies try to give users as unobtrusive an experience as possible. That means reading as little as possible and not forcing users to confirm prompts if it can be avoided. While the majority of people on slashdot would rather be informed of minor changes, having one or two extra confirmation prompts can mean the difference between having over 50% market share and less than 5% market share.

      This is what happens when you let the free market direct consumer culture.
  • Performance (Score:5, Interesting)

    by Translation Error ( 1176675 ) on Monday April 02, 2018 @03:47PM (#56368965)
    And what kind of performance hit do I suffer when this happy surprise software runs on my older computer? Do I get to choose when it runs?
    • Re: (Score:2, Insightful)

      Do I get to choose when it runs?

      Yes.

      You chose that, when you installed it.

      Don't want it to run . . . uninstall it.

      Although, even if you uninstall it . . . it will probably run anyway.

      • by Mashiki ( 184564 )

        Well here's the problem for google. It runs afoul of privacy laws in pretty much every country outside of the US. It likely also falls afoul of various hacking laws in many of those same countries, regardless of whether or not you installed it. The privacy one is likely the part that will get the most traction though.

    • Re:Performance (Score:4, Informative)

      by EvilSS ( 557649 ) on Monday April 02, 2018 @04:07PM (#56369095)
      This is my concern as well, but on a larger scale. A lot of my customers insist on running Chrome in a Citrix XenApp or XenDesktop deployments. We already do what we can, including using VDI aware AV products (we we are forced to use them at all), to reduce unnecessary IOPS. Chrome is already a big resource hog (uses lots of RAM, bloats user profiles, etc) now they decided that they need to scan the OS and burn up IOPS as well? Thanks Google!
    • Re: Performance (Score:2, Insightful)

      by Anonymous Coward

      So Chrome is virus scanning without permission. Where does it upload files when it finds something interesting? What else is it doing? Why not crypto mine as well? Perhaps it should enter your bank details and arrange for careful control of your finances. Just in case.
      These behaviours are inherently insecure because secrets are involved. Fun times ahead.

      • Re: Performance (Score:4, Interesting)

        by Rockoon ( 1252108 ) on Monday April 02, 2018 @04:24PM (#56369169)

        So Chrome is virus scanning without permission. Where does it upload files when it finds something interesting? What else is it doing?

        Several years ago I ran into Windows 7 or one of Microsofts security products (defender, security essentials) wanting to upload files so that they can be "examined" or whatever. The files it marked were all copyrighted products and it would be copyright infringement to upload them to Microsoft.

        So now Google may also be in on this click-ok-to-become-a-criminal game? Good idea Google. Sooner or later the wrong file is going to get uploaded and you folks are going to be in a huge world of government hurt because it was the governments data you stole.

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Monday April 02, 2018 @04:44PM (#56369251)
      Comment removed based on user account deletion
      • And, if they have found any, have they let the user know about it or have they just quietly deleted it?

        If Google Chrome started randomly deleting people's Documents, we'd know about it.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        No, the better question is - why does Google sneakily try to ship an embedded OS under the guise of a web browser? This is the worst kind of feature creep/bloatware/Trojan horse in the software industry today and Google is not sufficiently being called to task on it. Why the fuck does my OS need an app that installs it's own antivirus, print servers, updaters, networking stack and all the other shit they've tried to jam in there over the past few years?

  • ...For forgiveness than for permission."

    Strat

    • The phrase actually starts with "Easier," not "Better."

      Makes a world of difference.

      • The phrase actually starts with "Easier," not "Better."

        Yes, but I'm "speaking in the voice of" a Google exec who needs this thing his people have been working on to be deployed so he gets that bonus.

        Makes a world of difference.

        It depends on the context. I adapted the quote to fit.

        Strat

        • its actually is "its better to ask for forgiveness then beg for mercy..."

          Mercy brings a more emotional response than "permission".
  • Freaking out? (Score:5, Interesting)

    by 110010001000 ( 697113 ) on Monday April 02, 2018 @03:48PM (#56368977) Homepage Journal
    Why are people freaking out? You let Google run whatever software they want on your computer. They might be reading all your files and sending them to their servers. How would you know? If you care, why would you run Chrome? What a mess this industry is in now. People should have listened to Stallman. Instead we have "open source" Chrome and Android.
    • Re:Freaking out? (Score:5, Insightful)

      by Actually, I do RTFA ( 1058596 ) on Monday April 02, 2018 @03:51PM (#56368991)

      It's perfectly reasonable to expect a legal framework to restrain what software Google runs on you computer. Installing Chrome shouldn't automatically install (and run) Google's anti-malware. And it certainly shouldn't be built into the application in a hidden way.

    • Re:Freaking out? (Score:4, Interesting)

      by Waccoon ( 1186667 ) on Tuesday April 03, 2018 @05:06AM (#56371597)

      When Chrome first came out, I gave it a try. This was also the time SSDs were becoming popular, so I had a tool running to monitor how much data was being read/written to the SSD, so I could gauge the amount of "wear" on the drive.

      I found out very quickly that every time Chrome did a cold start (after a PC reboot) that it would read 20GB and write ~4GB of data on startup. That was the first and last time I used Chrome.

      Thank you for putting "open source" in double quotes. I wish more people were aware that Chrome is a closed source build of the open source Chromium project (and trying to get Chromium to work is a PITA, to say nothing about Google intentionally moving the download location all the time).

  • Chromium, too? (Score:5, Interesting)

    by koavf ( 1099649 ) on Monday April 02, 2018 @03:50PM (#56368985) Homepage
    Does anyone know if current builds of Chromium do this?
  • by Anonymous Coward on Monday April 02, 2018 @03:53PM (#56369005)

    Why the f*ck is my web browser trying to be a virus checker? If i wanted that I would get a virus checker.

    This kind of idiocy, however well intended, is why we have computer f*cking about SWAP SWAP SWAP SWAP instead of getting on with useful tasks.

    • by thegarbz ( 1787294 ) on Tuesday April 03, 2018 @06:03AM (#56371719)

      Why the f*ck is my web browser trying to be a virus checker?

      Because the web is the single largest avenue for viruses to enter the system.

      The better question would be why the fuck not! It would be far more useful if virus checkers only monitored entry points on a system rather than performing a frigging crippling weekly scan > Mcafee on my work machine I'm looking at you, you're making my CPU fan spin.

  • Would be most important to me. Back when, I'd go into the quarantined folder to get my Keygens back out.

  • Not okay (Score:3, Insightful)

    by Anonymous Coward on Monday April 02, 2018 @04:01PM (#56369043)

    I've got AV, and I've got it set up how I want it, I don't need google deciding it needs to screw with my system just because I use their web browser.

    At the very least, it needs to be simple to opt out of, which it doesn't seem like it is.

  • Fixed in /etc/hosts (Score:5, Informative)

    by Drunkulus ( 920976 ) on Monday April 02, 2018 @04:02PM (#56369069)
    0.0.0.0 *.scorecard.*[net,org,com,biz,*]
  • The difference (Score:5, Insightful)

    by duke_cheetah2003 ( 862933 ) on Monday April 02, 2018 @04:07PM (#56369093) Homepage

    Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of âuser-friendly software' that informs the policy for Chrome Cleanup [Tool].

    This is the difference between wanted security consciousness and hiding what you're doing to a customer's computer. Communication. If Google had come out and said they would add this to Chrome, before a security researcher came out with this information, no one would have cared or looked twice. It's all about communication. Tell people what you're up to, otherwise, we freak out and assume the worst.

  • by JoeyRox ( 2711699 ) on Monday April 02, 2018 @04:07PM (#56369097)
    They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things. No need to panic - I have only good intentions at heart. What, you didn't think a chef should also double as your security detail?
    • They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things. No need to panic - I have only good intentions at heart. What, you didn't think a chef should also double as your security detail?

      Sounds like a Navy SEAL with karate and explosive skills turned cook https://en.m.wikipedia.org/wik... [wikipedia.org]

    • They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things.

      To extend that analogy the chef is also the only one who routinely brings big knives in through security.

      What I'm saying is, scanning for malware by the vector which is most likely to introduce it to the system actually makes sense.

      • What I'm saying is, scanning for malware by the vector which is most likely to introduce it to the system actually makes sense.

        I agree, but Google should be scanning the specific files Chrome downloads rather than doing system-wide sweeps. They already own a site they can use for the purpose - VirusTotal.
      • Their motivation is not so much to protect us, it is to slow down the competition whilst getting direct access to your data.

        They will profit in a two fold manner from this on one angle they slow or block competition and on the other angle they have the freshest data that pays more and they can also charge more as the other players can't provide data that fresh.

        Slowly, the water warms the frog....

  • not trusting google (Score:4, Interesting)

    by arbiter1 ( 1204146 ) on Monday April 02, 2018 @04:10PM (#56369109)
    I use Eset and purchase their antivirus software on a reg basis and i trust them but i don't for life of me Trust that google is only "scanning for virus's". Given how recent revelation I heard how good pretty much will track gps of where you been and save it for years. Also if sites you visit even when using incognito mode, only thing this tells me its harvesting more info on end users. this video kinda tells you exacty what they collect about you on a reg basis and its kinda scary: https://youtu.be/Ke1gViMc2dY?t... [youtu.be]
  • This is why (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Monday April 02, 2018 @04:18PM (#56369137)

    I only use Chrome for accessing sites which require it... or require Flash. Otherwise, I steer clear of Chrome.

    It's also an object lesson proving people right who've consistently argued that Chrome (on the Mac, at least) shouldn't be given the default admin permissions it asks for to "keep itself updated". It's true you shouldn't trust any company too much... but you really can't trust an advertising company to not put its hands in the cookie jar if you've placed it conveniently within their reach.

  • State of things (Score:5, Insightful)

    by Sperbels ( 1008585 ) on Monday April 02, 2018 @04:20PM (#56369153)
    Your ISP is collecting your data. Your OS is collecting your data. Your search engine is collecting your data. Advertisers are collecting your data. Your browser is collecting your data. The NSA knows what I'm thinking before I do. So now everyone knows the size of my bank account, my shoes, and my dick. Hardly seems worth all the trouble. We've created this huge surveillance network ostensibly so they can market shit to me. Yet, I ignore 99% of the advertising that I see. And the network is predictably (also predictedly) leaky as fuck. Several of my unique passwords and all my identity information is probably floating around in dozens of nefarious databases. Are we better off?
  • Google acquired Gizmo project, an open SIP Skype alternative, back in 2009. That was also scanning the whole computer for some reason.

  • Why does Chrome allow dangerous extensions to be installed and let ads through when it shouldn't in the first place?
  • by nadass ( 3963991 ) on Monday April 02, 2018 @04:31PM (#56369221)

    In the settings page, chrome://settings/cleanup

    The option is "Report details to Google" and it defaults to being Checked. When I uncheck it, then eventually shut down the Chrome process (on Windows), then restart Chrome and verify its status, it remains as Checked.

    So, essentially, this option cannot be disabled except MAYBE momentarily. Is it a feature or a bug?

  • Sandbox model (Score:4, Interesting)

    by Tablizer ( 95088 ) on Monday April 02, 2018 @04:53PM (#56369315) Journal

    It should be up to the user to decide what a given application has access to outside of standard binaries and user-app-data folder sets. If one wants an app to have access to stuff outside of those, then it should be an OS-level setting, not something the app decides, similar to a fire-wall.

    If the app wants to show a tutorial to users for how to config their "folder fire-wall" to allow an app to outside of the sandbox, that's fine, but it should be outside of the app's control still.

  • by Anonymous Coward on Monday April 02, 2018 @05:20PM (#56369425)

    Let me ask a really stupid question.

    Imagine you were browsing the web minding your own business. Next thing you know all of the sudden your browser flips out opening windows warning you about viruses on your own computer would you believe it? For years we keep telling people not to fall for this shit.

    Now this... just the uncertainty / phishing leverage alone of browsers doing AV the mere fact this feature exists within a browser puts end users at massive unnecessary risk for no valid reason. Google could simply release a standalone virus scanner if they really gave a shit.

    Try Googling chrome and virus scanner.. The results speak to why doing this is a really really bad idea.

    My personal opinion every means by which data is exfiltrated requires some cloak of legitimacy. You can't just have shit rummage through everyone's computer for no reason. You'll be publically skewered and sued. There has to be a plausible enabling excuse hence the virus scanner nobody knows about. Oh look our scanner found something interesting ... there was no prompt asking the user whether they want their computer scanned in the first place so why does anyone think there would be a prompt before your data (or "metadata") starts getting uploaded to Google "for your own good" ?

    As you may have guessed I don't trust Google enough to run any of their software on my computer. Those who prefer Chrome should consider Chromium.

    • You'll be publically skewered and sued.

      We can only wish. It's not something that happens often, and every EULA explicitly tells us, in plain black and white, that we completely forfeit our right to sue (as if a "right" can be signed away in a contract, let alone an agreement).

  • I would only run ... (Score:4, Interesting)

    by Anonymous Coward on Monday April 02, 2018 @06:07PM (#56369647)

    I would only run Chrome browser in a virtual machine to test websites I develop. Otherwise, I simply do not use it. IMHO, it likely spyware with a browsing feature. I confounds me is that most people use it as their main browser, as if the Google spy-widgets in half the sites out there aren't enough for them.

    While Windows is of late too snoopy by default (if you switch to Basic it collects mostly hardware spec stuff which it's been doing since it offered updating back in the 1990s or XP), it would be very reasonable to assume Google and Facebook has far far (far far far) more on folks than Windows and Microsoft ever will.

    Moreover, if one chooses and configures carefully, one can shut off the excessive telemetry stuff (yes you can) and still use from the Windows 10 family of operating systems relatively privately at least at the computer and operating system side.

    I have many of Google's snoopy URLs deadsunk in a hosts file, and FB completely deadsunk except on one computer. They are in the business of snooping in a way Apple and Microsoft are not. So be wary of Google and Facebook. They are trying to be everywhere online watching what you do.

    But to use Chrome !? As your browser !? Are you a dupe !? You've got to be kidding!

  • This is simply another reason not to install spyware on your system.

    Their claim to be "helpful" and "protect" you is the same BS the Department of Homeland Security uses.

    Straight out of Orwell.

  • by holophrastic ( 221104 ) on Monday April 02, 2018 @06:59PM (#56369901)

    If I were to be using chrome, this would have been a major problem for me. My documents are on a different drive, and that drive sleeps for most of its life.

    (It's actually kind of funny that in 2018, on a new and wonderful build, It takes longer for me to open an mp3 or a doc file, than it did in 1985! First access of the hour wakes the drive, and between the time-delay and the drive spinning up and the case fans spinning up at the same time, it feels and even sounds almost like a floppy disk drive. It can be up to ten full seconds, though it's usually closer to five seconds.)

    This feature in chrome would cost me major money, in terms of the life of my storage drives -- both HDD and SSD -- as well as the electrical expense, and the fan noise. It would also be a major curiosity and point of confusion as I'd be wondering why my machine were so active when nothing's being accessed.

    • This feature in chrome would cost me major money, in terms of the life of my storage drives -- both HDD and SSD -- as well as the electrical expense, and the fan noise.

      If this was actually a real concern than you wouldn't waste your valuable electricity posting on Slashdot. Seriously a virus scan causing problems shorting your disk life? Get a hold of yourself man. Snap out of it.

      • What I choose to do, is valued very differently than what someone else does in my name.

        Any software that intentionally does something unexpected, and conceals it, is malware. The consequences don't matter.

        I'd have spent I-don't-know-how-long trying to diagnose why my drives aren't sleeping.

        • Okay let me rephrase:
          If you're worried about your drive life then you should get a clue about drive reliability.
          If you're worried about power consumption: Why are you reading this! You should be doing something valuable with your power like researching drive reliability.

          • I think you'll need to reread, not rephrase.

            I can choose to spend or waste anything of mine. You can't choose to spend nor to waste anything of mine.

            You don't get to borrow my lava lamp when I'm not using without my knowledge -- even though it costs me nothing. You don't get to park in my driveway when I'm not home. You don't get to lean against my car in the parking lot.

            The consequences don't matter at all. It's simply not your decision.

            And a good thing too. You don't know my value equations, and you

  • Wheres the setting at? I don't have the "cleanup tool" installed and see no settings asking or telling me chrome is scanning my files..Chrome is not my default Browser btw.
  • You think free things like Chrome, Firefox, IE, or things like "free" apps, websites and everything are free because these companies are giving it to you out of the goodness of their heart? NOPE...it's about DATA MINING.
  • Quietly release a virus scanner (in a browser?!?), get people used to it, and then start uploading analytical data, serve even more targeted ads.

    Sounds like a wedge strategy to me.

  • by nehumanuscrede ( 624750 ) on Monday April 02, 2018 @08:07PM (#56370241)

    I would have said:

    " Nothing to be concerned about because if Google got caught doing something crazy like perusing all the files on your system, the backlash would be epic. "

    These days, I've come to realize Google or Microsoft ( of their own design or at the behest of another . . . *cough* Intelligence Commmunities *cough* ) going through your effects with a fine toothed comb and flagging anything of interest they may find. If they get caught, they get a slap on the wrist, a reprimand ( with stern sounding language no less ) and their promise to never do it again. :|

    Then, we simply wait until the storm dies out, and start again under a new name.

    We truly can trust no one anymore because it seems that even the trustworthy are simply hiding the knife until we look away for a moment. ( No, I don't consider either G or M to be trustworthy, but there is always someone who loves to speak up when X gets caught doing something stupid claiming they would never do such a dastardly thing. Like DuckDuckGo or Tor or $League_of_anti_evil_corporation )

    It really gets old.

  • How is what they are doing even legal? It sounds like a textbook definition of hacking (see reply title). Just because someone installed their browser does not authorize them to gain access to non-browser files. They let people connect to their servers, does that mean they authorize people to gain access to anything they can get access to through that connection?

  • I am shocked, shocked, that Google extend their proactive [google.com] scan of your data from Google Drive to your private disk. Shocked!

    Let's all pray now for the poor souls that had "hate speech", "terrorist" material or pictures of their kids in the bathtub on their local harddrives and were "... reporting you to the relevant authorities." Amen.

  • by MadMaverick9 ( 1470565 ) on Tuesday April 03, 2018 @01:03AM (#56371163)

    Why don't people drop google, facebook, et al. like a hot potato?

    Because people are inert, hopelessly dependent on the system. They fight to protect it.

    That is why nothing will change.

    We don't need/want governments to enact laws [independent.co.uk] (Macron, etc.).

    People need to look themselves in the ass and take their own lives into their own hands.

    Same with the new visa requirements for the US. Just don't go !!! Just don't do it !!! For crying out loud - how difficult can it be ?!?!?!

  • At best this is a bug. At worst it's malware.

  • you don't know the half of the dirty tricks, scanning and reporting almost all of your software does behind your back. how could you if you are using closed source software. if you care about that stuff you shouldn't be using windows at all (as you know, windows itself already does this, no need to install extra software).

    don't be so surprised, this has been the state of things since so long. people do easily forget, this whole 'surprise' about facebook and many other privacy violating online services was a

  • ...and the one security pros often recommend...

    Don't let allegations of popularity (regardless of whether they're true) hamper better thinking. Any so-called "security pro" that pushes for proprietary software is unfit to be called a computer "security professional". Proprietary (non-free, user-subjugating) software is never under the control of the user. It doesn't matter what the program purports to do, how popular someone claims it is, or who made the program. A lack of software freedom for the user is u

A physicist is an atom's way of knowing about atoms. -- George Wald

Working...