Google hears all

Windows with permission to listen to your microphone keep listening until they are closed

There's news today about a new exploit in Chrome, that centers around the recently-introduced listening features. The new feature is not just limited to Google search, and any webmaster can implement it on his or her site with minimal coding. That is exactly the sort of thing that leads to scary-sounding issues, like the one today. 

In a nutshell, a website can ask for permission to use your microphone. Once granted, it can open another window from the same domain, and listen to the sounds coming in from your mic. Even if you surf away from the original window that asked permission. This becomes a problem when users lose track of what windows they may have open, and leave a sneakily placed pop up window running all day long to listen to everything it can hear.

But is this the expected behavior? Read on.

More: Talater.com

Working as expected? Maybe

Android Central

This isn't exactly a new issue. The fellow that first found and reported the issue did so back in September of 2013. The issue was acknowledged, and code to fix it all was written. But it has yet to be merged, because the people who decide things like standard behavior for new features haven't decided if this is expected behavior or not. 

When you give permission for something to happen, it should be expected that it will happen. When you say "OK, listen to my mic so we can do some cool stuff," Chrome should let the site you gave permission to listen to your mic, so cool stuff can happen. If you don't close the window that has permission to listen in, it's going to listen. This is the expected behavior, and exactly how things were designed to work. 

But what could potentially happen is that a crafty web developer could open a small pop-up that you may not notice. It inherits the permission to listen, and keeps listening until you close it. This means it can hear what you say on the telephone, or to other people in the room, or the Iron Maiden that you're playing loudly at your desk. And transmit it all to the website with permission to hear it.

Google will sort something out. I'm actually glad that they didn't jump in and change the way windows and tabs listen, because things should work the way they do. Having to give permission on every single page you navigate to on a website is not a good user experience. On the other hand, Google needs to protect its users somehow. Not everybody knows to block pop-ups in their Chrome settings, and to appeal to the normal user you need to protect the normal user. I don't know how they should fix this, and I'm glad it's not my responsibility to figure it all out.

What should we do?

pop-ups must die

In the meantime, there are two easy fixes. You can simply never give permission for a site to use your microphone, or disable automatic pop-up windows. To do that, open your Chrome settings and click the "Show advanced settings" link. In the privacy settings, click the "Content settings" button. In the new window, scroll to the Pop-ups section, and set them to Do not allow on any site. This is the recommended and default setting, and will cover most pop-up windows on the web. When you need to see a pop-up window, you can click the Omnibar to show it.

In the end, we just have to be dutiful and pay attention to the windows open on our computers until Google sorts out exactly how to handle issues like this one. Google is dead-set on pushing voice interaction with our electronics, and along with it will come obstacles. Hopefully, they sort the issues as fast as they push the technology.

 

Reader comments

Yes, Chrome may be listening — because you told it to

41 Comments

I would have to agree that it is working as intended. If we are to see advancement with these types of features, then we have to become aware of what we are allowing programs and hardware to do with the permissions that we give them. There will always be ways to take advantage of technology as it advances.

I avoid built in mics and cameras, but on lap tops its kind of standard equipment.

Bet you have a smartphone and/or tablet, and in that case, you have to be cautious.
Not all of these have "on the air" indicator lights. It should be the law.

I recommend Office Depot Item # 760218 for your laptop or tablet camera.

Do not allow any site to show pop-ups is a great idea.

I seem to recall you can't use Android central forums without listing it as an exception.

Jerry: Have the forum guys check that out. Its been a while, since I added it as an exception, and I forgot the exact reason. Think it had something to do with a pop-up sign in window or something.

Google could put a microphone icon on the address bar, and color it red and pulse it visually, whenever any page is listening to the microphone. It could be static and black when no page is listening.

That way, even if some hidden popup page is listening after you closed the original page you gave permission to, you'd have a visual indicator (or a reminder even if you knew, but forgot).

Clicking on the microphone, when active, could pop up a list of the page(s) that are listening, and give you the option of bringing the page to front where you can see it, or close the page, or possibly leave the page open but retract the permission to use the microphone.

That would make it harder for nefarious folks to code a nasty page, without materially changing the current behavior.

The latest vesrion of Chrome (M32) has some of these features built-in. Indicators show which tabs are using your webcam and speakers (Source: Everyone can now track down noisy tabs, Google Chrome Blog). It seems they should do a symbol for the mic as well.

Actually, what you can do is tell Windows to always show that mic notification in the task tray instead of hiding it. Done and done.

Default setting works for me. But still not overly concerned about someone listening in when I am petting the dog of vacuuming. I see the privacy concerns but not for me.
Thanks for the report
Posted via Android Central App

It's even better lol

Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.

Lol, nothing gets past you, Joe.

Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.

Fb, Twitter, almost any social media app you install on Android does the same thing all the time, any time. Not just the mic, but same goes with the camera as well.

No, it was CLEARLY sarcasm. Couldn't you tell by the /sarc... Oh wait, lol.

Posted from my "Gift from God" Note 3, my "God-Given" iPad Mini 2, or my "Risen" Samsung Chromebook.

This was the case with microsoft messenger (when it existed). But frankly all this hype about inavasion of privacy blah blah blah I for one am not going to go and tape up my webcam and mic (or my windows and doors for that matter). If I am required to post what color underware I'm wearing everyday, then fine I'll comply. I rather not lose my freedom like Mr. Snowden did. Because frankly outside of a well and provided society, all else suck as Mr. Snowden is realizing. Care to learn? Go book a flight to some ancient society like North Korea.

I don't have a problem with these permissions. Just makes me think twice before taking a laptop into the bathroom

Posted via Android Central App

So what you're saying is that somewhere, deep down in the doldrums of the interwebs, some crafty, devious, diabolical web developer has a recording...of...Jerry Hildenbrand singing Justin Beiber. Say it ain't so! I need to get my hands on that recording

Well, I can definitely understand why some people would be uncomfortable with this.

Posted via AC App on HTC One

As much as I am for bettering technology - whether that be voice integration or waving my arms around for a more seamless experience this seems lazy to me on Google's part.

Not everyone has the passion, understanding or the time to read technology like this and therefore wouldn't have found out about this type of issue.

IMO this should be a "Beta" (could even be open beta) feature and taken off the main version that tons of end users may use and have no idea.

Now I'm starting to understand the logic of end users who tape up their webcams because they font know better and aren't trusting companies to always have their interests at heart - seems to be one of them.

Personally pop ups are always blocked so I'm okay but it's still an issue.

Posted via Android Central App

If that's the "recommended and default setting" how did the browser switch to the other setting without the user intentionally changing away from the default?

You could also pay attention to what popup windows happen to be open. It's not that hard. People need to learn to open their eyes when using a computer. So many exploits depend on users being barely sentient when computing....

Posted via Android Central App on Nexus 7 2013 LTE