Yes, Chrome may be listening — because you told it to

Windows with permission to listen to your microphone keep listening until they are closed

There's news today about a new exploit in Chrome, that centers around the recently-introduced listening features. The new feature is not just limited to Google search, and any webmaster can implement it on his or her site with minimal coding. That is exactly the sort of thing that leads to scary-sounding issues, like the one today. 

In a nutshell, a website can ask for permission to use your microphone. Once granted, it can open another window from the same domain, and listen to the sounds coming in from your mic. Even if you surf away from the original window that asked permission. This becomes a problem when users lose track of what windows they may have open, and leave a sneakily placed pop up window running all day long to listen to everything it can hear.

But is this the expected behavior? Read on.


Working as expected? Maybe

This isn't exactly a new issue. The fellow that first found and reported the issue did so back in September of 2013. The issue was acknowledged, and code to fix it all was written. But it has yet to be merged, because the people who decide things like standard behavior for new features haven't decided if this is expected behavior or not. 

When you give permission for something to happen, it should be expected that it will happen. When you say "OK, listen to my mic so we can do some cool stuff," Chrome should let the site you gave permission to listen to your mic, so cool stuff can happen. If you don't close the window that has permission to listen in, it's going to listen. This is the expected behavior, and exactly how things were designed to work. 

But what could potentially happen is that a crafty web developer could open a small pop-up that you may not notice. It inherits the permission to listen, and keeps listening until you close it. This means it can hear what you say on the telephone, or to other people in the room, or the Iron Maiden that you're playing loudly at your desk. And transmit it all to the website with permission to hear it.

Google will sort something out. I'm actually glad that they didn't jump in and change the way windows and tabs listen, because things should work the way they do. Having to give permission on every single page you navigate to on a website is not a good user experience. On the other hand, Google needs to protect its users somehow. Not everybody knows to block pop-ups in their Chrome settings, and to appeal to the normal user you need to protect the normal user. I don't know how they should fix this, and I'm glad it's not my responsibility to figure it all out.

What should we do?

In the meantime, there are two easy fixes. You can simply never give permission for a site to use your microphone, or disable automatic pop-up windows. To do that, open your Chrome settings and click the "Show advanced settings" link. In the privacy settings, click the "Content settings" button. In the new window, scroll to the Pop-ups section, and set them to Do not allow on any site. This is the recommended and default setting, and will cover most pop-up windows on the web. When you need to see a pop-up window, you can click the Omnibar to show it.

In the end, we just have to be dutiful and pay attention to the windows open on our computers until Google sorts out exactly how to handle issues like this one. Google is dead-set on pushing voice interaction with our electronics, and along with it will come obstacles. Hopefully, they sort the issues as fast as they push the technology.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.