Why You Should Delete Google Chrome On Your Phone
Why You Should Delete Google Chrome On Your Phone
Cybersecurity Nov
6, 2021,06:30am EDT I cover security and
surveillance and co-host 'Straight Talking Cyber'
A stark new warning for billions of Google Chrome users, as the
browser is exposed harvesting very sensitive phone data without users
realizing. This latest privacy nightmare should give you a reason to
delete Chrome on your phone.
Last
month, Facebook’s app was exposed tracking the movements of
iPhone users, tapping into the device’s accelerometer at all times.
Facebook is the world’s greediest data harvester, and this sensitive
information can be used to monitor behaviors, linking with the extraordinary
amount of data it collects.
But Facebook isn’t the
world’s most successful data harvester—that prize goes to Google. Unlike
Facebook, which has been hit hard by Apple’s latest privacy measures, Google’s
digital ad revenues continue to soar. The reality is that while Facebook/Meta
acts as a lightning rod, Google is the much bigger threat to your privacy.
While
Facebook was collecting this information for itself, Chrome is happy to collect
it for others—essentially enabling a free-for-all when it comes to hugely
sensitive information about your every activity, your every behavior.
Researcher Tommy Mysk warns that “the motion sensor is
accessible to all websites in Android/Chrome by default, [whereas] Safari/iOS
protects access by a permission.” What’s much worse, though, is that Chrome
does this even when it’s set to private browsing or “incognito” mode. How can
this be okay?
“The way Android handles the accelerometer is much worse [than
Facebook],” Mysk told me. “Apps can even read it in the background. My team
implemented a pedometer functionality in our app. The app would count steps even
if the app wasn't running at all. Because the logic was a background service
that ran all the time.”
In
response to the security research, Google told me that "we intentionally
limit the resolution of motion sensors in Chrome, and since 2019 we’ve had controls
that allow users to block websites from accessing a device’s motion sensors
altogether. We take user security and privacy seriously, and we’re always
working on new ways to improve security and privacy in Chrome.”
But this
is data that Chrome is making available to any site that asks—by default. Apple
improved its security
and privacy by blocking that data and mandating a specific, time-boxed
permission any time it was requested. That’s how it’s done, Google.
I’ve warned before about Chrome’s woeful
privacy risks. Put simply, with Chrome Google works both sides of
the fence when it comes to your browsing. Providing the search and digital ad
infrastructure behind the scenes, while controlling the front-end browser that
you’re using. Essentially harvesting your data at both ends.
This
issue is exacerbated by Google’s philosophy when it comes to your privacy—put
simply again, you’re a product to be monetized to drive its huge levels of
profitability. Your behaviors can be tracked across multiple platforms and
services, and that information can be used to drive the world’s most valuable
influencing platform.
The
recent backtrack over FLoC, where Google admitted “accidentally” allowing
millions of users to be secretly tracked tells you all you need to know. Then
there’s the ongoing mixed messaging on private browsing, as well as default
enabling users’ inactivity to be reported. Google Chrome is bad news on the
privacy front. Period.
“Google
has been professing their intent to figure out how to place ads in a
privacy-preserving way ,” Mozilla told me recently, “but those plans keep being
delayed,” while their functionality “tracks people and enables new ad use
cases.”
Apple’s Webkit, which restricts the behaviors of Safari and
other browsers operating on iPhones introduced specific permissions for accelerometer
access with Safari 13 in 2019. That followed research exposing the very same
exploitation of such permission-less access by mobile websites that Chrome on
Android still allows.
Those
researchers found that
mobile websites were tapping into device sensors “for purposes other than what
W3C standardization body had intended. We found that a vast majority of
third-party scripts are accessing sensor data for measuring ad interactions,
verifying ad impressions, and tracking devices. Our analysis uncovered several
scripts that are sending raw sensor data to remote servers.”
Apple Safari requires specific permission to access motion
APPLE IOS / SAFARI
That research, Mysk told me, “pushed Apple to protect Safari
on iOS... I’m not sure why Google didn't apply similar measures.”
Given the research referenced ad delivery and measurement as a core focus for
tapping sensors, we can hazard a guess as to why.
While
Apple disables motion sensor access by default, Google not only enables that
access, but despite prior warnings it also tells users this is a “recommended”
setting to keep enabled. The difference between Apple and Google could not be
more stark. The irony, of course, is that you’re safer using Chrome on an
iPhone than an Android, because Apple blocks this type of data harvesting for all browsers.
iOS forces permission request on Chrome
CHROME / IOS
As one developer on the Chromium discussion on this setting asks,
“why would the motion sensor permission be an allow/ask pair instead of an
ask/block pair? Is it just so Chrome can default to allow? Not many sites
outside of Maps need the motion sensor APIs. I've disabled it and it's always
surprising to see a site use motion sensors.”
If
providing motion sensor data to websites was a real requirement, one so popular
as to justify being on by default, then iPhone users would have inundated in
recent years with that permission request. But they haven’t. Most will never
have seen it. Not once.
You can
disable access to your phone’s motion sensors in Chrome on Android in Site
Settings—but you will see that Google recommends leaving it on.
Disable Motion Sensors
GOOGLE CHROME / ANDROID
The reality is that while Apple versus Facebook has taken the
headlines, the iPhone maker has arguably done more to show up Google’s privacy
infractions than anyone else’s. And all the while Android plays a game of slow
catch-up with the higher profile privacy innovations that Apple introduces with
its iOS updates. But then we find these hidden issues that haven't yet grabbed
headlines and which remain issues.
Google
emphasizes the settings it offers to change default settings—to restrict
location tracking in your account, to disable monitoring the time you spend
away from your device, to switch off new privacy sandbox tracking features, to
stop cross-site tracking, to disable third-party cookies, to block phone motion
sensing. But there’s a theme—everything is switched on out of the box unless
you actively find it and change it. Nothing is private by default. And that’s
woeful from a privacy perspective.
Yes, on
Android, you can find and disable the motion sensor. But it’s not acceptable to
rely on users proactively changing settings to protect basic privacies. Apple
and others now add such measures by default. In reality, very few users know
about these issues and even fewer will follow the multi-step menus to change
core system settings. This is especially true when Google marks such settings
as “recommended.”
We now
await FLoC V2, as Google’s Privacy Sandbox continues to search for an
impossible solution to protect user privacy without compromising the
monetization of user data. My advice is not to wait and to opt for an
alternative browser. On Apple you should use Safari, and 0n Android and other
non-Apple platforms Firefox is a much better option, if you don’t want to opt
for privacy-first DuckDuckGo or Brave.
How To Delete Chrome On Your Phone
GOOGLE ANDROID
Apple has led the way with Safari in defaulting to
privacy-centric options out of the box. Its latest innovation, Private Relay,
breaks the link between user identities and web sites, essentially undermining
the core basis behind web trackers. Google could never follow their lead, it
would severely damage its business model.
Chrome is
isolated as the only major browser that has not yet acted to stop cross-site
tracking, the only browser (illustrated by Apple’s privacy labels when used on
iOS) that collects vast amounts of data, all of which link back to user
identities, the only major browser that pushed out FLoC, despite numerous
privacy warnings. On Android, you can delete Chrome from by disabling the stock
browser in your settings.
“The rule
of thumb in information security,” Mysk warns, “is that private information should
be protected. Access to the accelerometer should be protected.”
Chrome is
the world’s most popular browser, controlled by the world’s largest digital
advertising giant, by the entity that controls 75% of web tracking. The maths
is simple. Until users make choices that put privacy first, we can’t expect
anything to change.
Comments
Post a Comment