Google Chrome’s seamless updates have long been a big part of its appeal. But perhaps not anymore. With the latest version of Chrome already installed on hundreds of millions of computers and smartphones around the world, a significant warning has been issued that you might not like what it has running inside.
Picked up by The Register, Chrome 80 (check your version by going to Settings > About Chrome) contains a new browser capability called ScrollToTextFragment. This is deep linking technology tied to website text, but multiple sources have revealed it is a potentially invasive privacy nightmare.
02/22 Update: while Google is currently under pressure for new privacy concerns within Chrome 80, the company has now issued its own warning about Microsoft’s new Chromium-based Edge browser. Google warns that, while technically compatible, installing Chrome extensions on Edge causes security vulnerabilities. To stress this point, Google is issuing a popup to every Edge user who visits the Chrome web store stating that it “recommends switching to Chrome to use extensions securely.” To date there have been no reports of security compromises using Edge with Chrome extensions, including from Microsoft itself. So whether there is a genuine risk or this is a scare tactic from Google as it ties to protect its market position from Microsoft’s ambitious new browser, remains to be seen. Either way, you should stay alert.
02/23 Update: Google is in the spotlight over its controversial inclusion of ScrollToTextFragment in Chrome 80, but the company has now stepped over two significant areas to improve its user transparency. First, (via 9to5Google) the company is changing its Chrome terms of service for “improved readability” and “better communication” with plainer language and notifications when changes are made showing where and why. Second, ChromeStory has spotted a new code commit in Chrome which will give users more choice over how their passwords are stored. Currently you can either sync all your passwords in the Google Cloud or nothing at all, but the new code (named “Butter for passwords”’) will allow Chrome users to selectively pick which passwords are synced to the Google Cloud and which are kept locally on device. This would be a big deal for users with highly sensitive passwords which they want kept away from both Google and other Google devices they own. This would be a notable step forward and a win for end users.
To understand why requires a brief guide to how ScrollToTextFragment works. The simple version is it allows Google to index websites and share links down to a single word of text and its position on the page. It does this by creating its own anchors to text (using the format: #:~:text=[prefix-,]textStart[,textEnd][,-suffix]) and it doesn’t require the permission of the web page author to do so. Google gives the harmless example:
“[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat’s diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”
The deep linking freedom of ScrollToTextFragment can be very useful for sharing very specific links to parts of webpages. The problem is it can also be exploited. Warning about the development of ScrollToTextFragment in December, Peter Snyder, a privacy researcher at Brave Browser explained:
“Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
And it was Snyder who spotted that ScrollToTextFragment is now active inside Chrome 80 stating that “Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a ‘don’t break the web’, never-cross, redline. This spec does that.”
David Baron, a principal engineer at Mozilla, maker of Firefox, also warned against the development of ScrollToTextFragment, saying: “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.”
Defending the decision, Google’s engineers have issued a documentoutlining the pros/cons of the deep linking technology in ScrollToTextFragment and Chromium engineer David Bokan wrotethis week that “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in.”
Bokan says the company will work on an opt-out option, but how many will even know ScrollToTextFragment exists? And here lies the nub of it: Google has such power it can be judge and jury to decide what is or isn’t acceptable. So ScrollToTextFragment, with its unresolved privacy concerns and lack of support from other browser makers, is now out there, running in the background of hundreds of millions of Chrome installations.
Whether you want to be part of that is up to you.
All Rights Reserved for Gordon Kelly