More privacy in the Chrome web browser

Current reports have Google's Chrome web browser outranking the Firefox browser developed by the Mozilla Foundation [1]. Without a doubt, Chrome runs faster, but it also does large-scale eavesdropping on users. Google might provide the majority of the BSD-licensed source code as Chromium, but modifying the Chrome binary data runs afoul of its Terms of Service. The company arms the software with countless services and a search engine. Without modification, Chrome is constantly "phoning home."

This intrusion provides the company with very detailed information about users' habits that it then sells to the advertising industry. Stemming the flood of data from the browser to Google requires careful manual configuration and applying a number of add-ons and extensions.

Overview

The search engine giant published a white paper to expose the various services that contact the browser [2]. Despite the white paper's feel-good intention, the company's data undeniably leads to creating detailed user profiles. All that's needed is to merge the data.

A main element of Chrome is its so-called Omnibox – the browser's address bar that also acts as a search mask. During entry of only a few characters, Chrome contacts the Google servers or another search engine and tries to auto-complete the entry. It then conveys the IP address of the PC and various cookies to return as many relevant hits as possible. But that's not all. Right after a fresh installation, it contacts unrequested the Google website (Figure 1).

Figure 1: Without even opening a web page, Chrome has already contacted Google.

Fasting

To prevent transmission of data, you can first go to the configuration using the button with three horizontal bars at the upper right next to the Omnibox. The Settings entry opens a browser window with Show advanced settings at the very bottom. Click the link and scroll to the Privacy category, which has some defaults already set. Remove any undesirable ones by unchecking the boxes (Figure 2).

Figure 2: Google activates certain Chrome services by default that can convey plenty of data right to the company's servers.

Behind the Content settings… button lurk several additional options that determine the browser's performance. Pay special attention to the Location and Media categories. If your computer has the corresponding functionality, it's recommended to activate the Do not allow sites to access your camera and microphone option in Media . Various bugs in Chrome and the Flash Player plugin have transformed in the past the browser into a spying tool by way of a specially crafted website. Attackers could take control of the webcam and microphone and eavesdrop in the vicinity of the compromised computer without users detecting it [3] [4]. If you still want to grant certain websites access to multimedia hardware, you can always do so by clicking Manage exceptions… (Figure 3).

Figure 3: Chrome allows unsolicited access to your system's webcam and microphone under certain circumstances.

Allowing all sites to track your physical location is especially useful for snoopers when your browser has mobile hardware. Therefore, it's also recommended to disable this feature in Location and define only trusted exceptions when needed.

Omnibox Nuisance

By default, Chrome contacts the predefined Internet search engines when you enter characters in the Omnibox and uses them to guess at other entries or further URLs "of interest." In doing so, the browser transmits extensive data on your system to Google or other search engines. Additionally, the proposals permanently influence in increasing numbers any future entries. Unlike Firefox, where you can make the Google search engine completely and permanently unlearn this seldom useful behavior with the YesScript add-on, this has only limited effect in Omnibox. To clear the auto-completion, uncheck the Use a prediction service to help complete searches and URLs typed in the address bar option in the Privacy settings.

This provides only partial success, however. Omnibox continues to offer proposals even with the option turned off. These continue coming in from the browser history and bookmarks. The longer the browser session, the longer the list becomes. To avoid this, click the Clear browsing data… button in the Privacy settings and choose the items to deselect (Figure 4).

Figure 4: To effectively disable the Omnibox suggestions, you need to clear the browser data periodically.

Eavesdropping Strangers

External eavesdroppers can also be spying on your browsing habits, especially the big ad networks. Chrome provides the same add-ons as Firefox to combat them. Among them, Adblock Plus and Ghostery can keep phishers at bay. Unfortunately, Adblock has been in the firing line recently because of its dubious business practices [5]. To install both add-ons, open Tools | Extensions in Chrome and click Get more extensions at the bottom of the page, which takes you to the Chrome web store. Choose the desired add-ons and install them by clicking the + FREE button. Then configure Ghostery, which localizes all trackers by default, but doesn't yet block them. To prevent all forms of spyware, click Select all in Ghostery (Figure 5).

Figure 5: Ghostery blocks almost 2,000 trackers and updates the list regularly.

Unfortunately fingerprinting calls for disabling JavaScript, which can impact services such as Facebook and Amazon. To disable it nonetheless, in the Chrome settings, click Show advanced settings… and click the Content settings… button under Privacy . Under JavaScript , enable Do not allow any site to run JavaScript and click Done . Alternatively, install the Script Blocker for Chrome add-on from the web store, which allows enabling and disabling JavaScript for particular websites.

Incognito or Not

Chrome also provides a so-called incognito mode, which you can access via Ctrl+Shift+N in the browser. In this mode, the browser does not store history, cookies, or search history. To enable incognito mode right away when starting Chrome, add the option -incognito when you launch it from the command line:

$ google-chrome -incognito

You can make this change permanent by renaming the original google-chrome executable:

$ sudo mv /opt/google/chrome/google-chrome \
  /opt/google/chrome/google-chrome-real

then creating a new google-chrome script in the /opt/google/chrome directory:

$ sudo echo "/opt/google/chrome/google-chrome-real -incognito" \
  > /opt/google/chrome/google-chrome

and then making it executable:

$ sudo chmod a+x /opt/google/chrome/google-chrome

However, keep in mind that incognito mode deactivates all installed add-ons, including those related to privacy. To reactivate the add-ons, go into Tools | Extensions and enable the Allow in incognito option for each one individually (Figure 6).

Figure 6: In incognito mode, Chrome deactivates all add-ons for security reasons. You can reactivate each one separately in the extension options.

However, there are limits even to these apps. Some of the websites use Canvas fingerprinting [6], where a JavaScript snippet generates an image and stores its hash on the server (see the "Canvas" box for more information). Because the image is unique to each computer, the hash creates something like a unique identification fingerprint.

Canvas

Canvas is an HTML5 element that dynamically creates bitmap images, usually through JavaScript. Originally developed by Apple and used in Webkit, it was later standardized by the Web Hypertext Application Technology Working Group (WHATWG). All major browsers now support the element.

Conclusion

As interesting as technical innovations such as the sandbox, multiprocessor architecture, or the Blink rendering engine might be, Chrome can be catastrophic from a data privacy perspective. The software uses every trick in the book to learn things about you, taking every opportunity to send the data to Google or some other interested party.

Omnibox can also be a hindrance in daily practice. On the one hand, it inundates users when entering a URL or an entry with often useless "suggestions" and, on the other hand, relies on only one search engine, namely Google, as default.

Speed and modern interfaces are also dynamic factors. Firefox has not only swapped its older stale interface with a newer one in its current version, but also raised its speed to acceptable levels.