• On TV.com: THE GIRLS NEXT DOOR photos
September 3, 2008 11:31 AM PDT

Google's Omnibox could be Pandora's box

Posted by Ina Fried
  • Print

The auto-suggest feature of Google's new Chrome browser does more than just help users get where they are going. It will also give Google a wealth of information on what people are doing on the Internet besides searching.

Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter.

What's more, Google has every intention of retaining some of that data even after it provides the promised suggestions. A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it.

In theory, that means that if one were to type the address of a site--even if they decide not to hit enter--they could leave incriminating evidence on Google's servers.

Omnibox

Information typed into Google's Omnibox bar could end up on Google's server--provided Google is your default search engine and you have Chrome's auto suggest-feature turned on.

(Credit: CNET News)

That said, individuals have a clear way to use Chrome and avoid having this occur. Turning off the auto-suggest feature means that Google will neither get nor store this information. One can also select a search provider other than Google as their default to avoid having their search queries stored by Google. (Update 11:45 a.m. PDT: Switching to Chrome's Incognito mode also switches off the auto-suggest features, the Google representative said.)

Beyond the individual level, though, there is the question of what Google will be able to do with all this information in aggregate. Folks already concerned about how much data Google has from its Web search history may well have another reason to worry. That is in addition to separate concerns raised by the product's End User License Agreement (EULA).

Assuming Google finds a way to use this data to make its Web search even better, it could also make Microsoft's job of catch-up even harder than it already is.

As I wrote before, Chrome's threat to Microsoft goes far beyond Internet Explorer. It puts pressure on the Windows team to innovate faster and, apparently, could also make life even tougher for the Live Search folks.

Click here for full coverage of the Google Chrome launch.

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina.
Topics:

Windows,

Microsoft,

Online services

Tags:

Chrome,

Microsoft,

Google,

Internet Explorer,

Live Search,

privacy

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Beyond Binary
Microsoft: Not all information can be free
Microsoft confirms Yahoo hire
Microsoft: IE 8 won't be done until 2009
Microsoft, labels try to revive subscriptions
Yahoo search exec departs, perhaps to Microsoft
Add a Comment (Log in or register) 75 comments
by SnidleyWhiplash September 3, 2008 11:59 AM PDT
But, but, but... but their motto is "do no evil"... so that must mean that even though they're doing these things in less than transparent ways, it must all be for the greater good, right? The good of the shareholders, anyway. Why is anyone still surprised that Google is going to snarf all your data and make money off of it... it's the entire purpose of the company! What' *is* still surprising is that any individual or business with confidential or proprietary data would ever make use of -- or allow its employees to make use of -- any Google App or this new browser.
Reply to this comment
by The_Decider September 3, 2008 12:35 PM PDT
Any company that has to explicitly state that they aren't going to do evil is one to doubt.

Just like some brainless pop singer saying she is going to "keep it real".

If people are dumb enough to use this, then they deserve everything that can happen to them.
by Hardcode September 3, 2008 12:03 PM PDT
I really want to see some of the spin that the fanboys come up with to defend Google on this. Come on guys, get creative.
Reply to this comment
by skiwithpete September 4, 2008 2:31 AM PDT
Do you use NoScript in Firefox? Otherwise Google already collects so much information about you that a few search keystrokes ain't gonna make no difference no how.
by kojacked September 3, 2008 12:06 PM PDT
No need to get the privacy advocates' undies in a bunch. Entering text for a search is akin to walking in to a public space shouting "anyone here that knows how much Google's stock rose today". People hear each word as you utter them (i.e. like typing in the search or address bar) and can turn and look towards your blow hole (i.e. knows your PUBLIC IP address) to see who making the request. Ok so your are shouting from your bedroom window; you are still making it a public matter.

Besides it's not like Google is browsing your hard drive for data and uploading useful information for it's business when you use their browser.
Reply to this comment
by The_Decider September 3, 2008 12:14 PM PDT
I see you didn't read the article, it will also log any keystroke, even if you didn't enter it. That means it is logging your thoughts as well and your "shouts"(which is a fairly poor analogy).

If you are going to support this, at least understand it.
by Vegaman_Dan September 3, 2008 12:49 PM PDT
If you use the browser to view a website, directory listing, or even a list of files on your own local machine, those results are recorded and sent to Google for them to use however they wish. Their EULA gives them the right to do whatever they want with it.


It gets even better with one line in their standard services EULA which this falls under:


"By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services."


So... be careful in viewing artwork online. If you can see it on the screen, Google now reserves the right to do whatever they want with it, including selling it, modifying it, etc. Your continued use of the product is all the permission they need. Now I expect that has yet to be tested in court, but it's a dangerous thing indeed.

by kojacked September 3, 2008 11:30 PM PDT
"Google will have access to any keystrokes that are typed into the browser's Omnibox,"

They track just the Omnibox, not every textbox. Looks like I read just fine. People see Ina talk down "auto-suggest" and forget that he/she is speaking in context of the Omnibox. If google wants to know where I want to go or thought I might want to go that's fine by me. Hell they already know what I search on when I use their search engine.
by Vegaman_Dan September 3, 2008 12:07 PM PDT
Well, Google *has* stated publically that they don't care about your privacy and fully expect to use any information they get for commercial purposes. If they get a hold of your bank account information because you didn't quite hit that enter key, then that information should be available online for others to search for.


Good job, Google. You just made it even easier for identity theives to steal information- you'll let them search for it.

Reply to this comment
by timber2005 September 3, 2008 12:19 PM PDT
That is actually a very very very good point. Kind of like that issue with teh Google Toolbar allowing access to cached private data, if you made a change to a URL that had a unique ID tied to your account, that would be cached by google and allow them (potentially) to have access.

Not good at all.
by The_Decider September 3, 2008 12:33 PM PDT
I hate to agree with you, but I have to.

It is pretty scary what Google hacking and normal searches can bring up right now. With people using this browser, even more info will be available to anyone.
by gagahput3ra September 3, 2008 12:07 PM PDT
Lots of things smell fishy on this Chrome release, the box, the "send your usage statistics" checkbox which is already checked when installation, then now this omnibox case....

Google needs to clean up this trace if they want to continue become an angel that's always watching people and tracking what we do. If not, then bye2 Google, i'm moving to Cuil. (Which already wants to kill me anyway)
Reply to this comment
by Galphanore September 4, 2008 10:28 AM PDT
I don't know what you installed, but the box isn't checked by default in chrome.
by The_Decider September 3, 2008 12:09 PM PDT
So much for this not being pure spyware.

Open source or not, that doesn't mean it isn't malware. Google seems to believe that its users will accept any privacy or invasion, sadly they are correct.
Reply to this comment
by The_Decider September 3, 2008 12:12 PM PDT
Its policy of forcing users to choose to opt out of privacy violating features puts Google squarely in the do evil category.

If they had any ethics or morals, everything, including web spiders would be opt-in.
Reply to this comment
by skurewu September 3, 2008 12:12 PM PDT
So Google knows what you're searching for and what URL's you're typing in the address bar, so what? Unless they can connect the dots on who is the user (which involves mapping an IP to an ISP customer) and the information they've typed, an individual's privacy has not been violated. ISP's have much more power when it comes to privacy and Internet history trails. The only thing to get mad about is the fact that Google is profiting off a users regular use of a web browser URL box, but it's not like any of us were going to make any money selling that information independently. The only people who have to fear this feature are people going to illegal sites that can prompt an ISP to reveal a customer. The bottom line is that the ISP is the gate keeper, Google cannot determine any user's identity alone.
Reply to this comment
by Vegaman_Dan September 3, 2008 12:56 PM PDT
Their EULA allows them to capture whatever is on your screen as well for use however they wish. This includes your bank account information, social security information, children's information, etc. Anything you see on the screen is now theirs to use as they see fit. It's an incredibly bad idea. The EULA is standard for all their services, and that has applied to Gmail too for years now without any issue, but just because they haven't done anything with it doesn't mean they will not later. It's just a bad setup from the beginning.


Imagine the chaos this could cause if you worked at a health care company and used the browser to search for internal sites. Those sites and names may not be publically available normally outside the company, but with this they now are. It's a HIPAA nightmare right there alone. As a result, corporations may have no choice but to ban any and all Google usage on their systems and that would include search and email.


Granted, a lot of this is 'the sky is falling' sort of thing, but with Google's blatant policy that there is no such thing as privacy, it becomes a bit more scary.

by Vegaman_Dan September 3, 2008 1:46 PM PDT
UPDATE: Google has announced the will be modifying the EULA to remove the content language that has people up in arms. They will still continue to collect anything you type in the address/search bar however. You will need to change the security settings to prevent that from going back to them.


So not as bad as it could be, but privacy is still an issue.

by fogr4 September 7, 2008 10:10 PM PDT
If you use google mail, google knows your email address and your URL. Now you decide to search from the same URL, and google knows what email address did the search.
by fogr4 September 9, 2008 8:36 PM PDT
Sorry, that last posting was slightly incorrect. It should say:

If you use google mail, google knows your email address and your IP. Now you decide to search from the same IP, and google knows what email address did the search.
by The User September 3, 2008 12:18 PM PDT
One of the reasons I'd never use Google products outside of their search engine. Similarly, I wouldn't use MS web products, aside from Messenger.
Reply to this comment
by Galphanore September 4, 2008 10:30 AM PDT
Typing in the omnibox is exactly like typing in the search engine. They receive the same information, they just receive it before you hit submit. Honestly, what are you typing to your address bar/omnibox that you wouldn't type in a search engine?
by bruceone September 3, 2008 12:21 PM PDT
I wonder what wouldnt feel someone accessing porn having incognito off, and then days after the girlfriend receiving tons of ads related to dolls and such...haha
Reply to this comment
by onlyauser September 3, 2008 12:30 PM PDT
TRIED Chrome and I liked it, however, if this is the case I will NEVER EVER use CHROME AGAIN and Google can BURN in Internet HELL!
Reply to this comment
by Shoogle2 September 3, 2008 12:36 PM PDT
Wow, the tinfoil hats have been donned in record time for this one! Until this thing stealthily installs itself and begins sucking your passwords dry, let's not go over the malware cliff just yet.
Reply to this comment
by The_Decider September 3, 2008 12:53 PM PDT
The EULA is the very definition of malware.
by graceinhim September 3, 2008 12:37 PM PDT
If you don't believe that what ever you do no matter what browser or ISP you use on the internet is being logged then you are kidding yourselves.
Reply to this comment
by The_Decider September 3, 2008 12:55 PM PDT
That excuses it? Firefox doesn't do this. Neither do Opera, Safari, or Seamonkey.

My ISP is legally bound to keep what I do private except if a warrant is produced. My ISP(Qwest) has proven its commitment to privacy. Google is different, they are looking to trace what you do and say for its profit.

If you can't see the difference, then don't come here crying when Google has a cached page of your bank account records with your name, account number and SSN on it.
by smist08 September 3, 2008 12:49 PM PDT
Google seems to have turned plenty evil:

I received this from a security officer of another organization, and I believe it to be worth consideration.

?The Google Chrome Browser has been put on the banned software list. If you have it installed please remove it from your system. Google has included some extremely harsh terminology in their user license that gives them ownership of content you view through the viewer. In our environment that could include source code, proprietary information stored in pdf?s viewed on line and other [companyName] property. Until we can research the impact, this browser will remain on the ?do not install? list.?

The section of the license agreement in question is:

?"By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post or display on or through, the services. This license is for the sole purpose of enabling Google to display, distribute and promote the services and may be revoked for certain services as defined in the additional terms of those services."
Reply to this comment
by Vegaman_Dan September 3, 2008 6:19 PM PDT
Google has backed off this and will be making up a new EULA that will address these issues. They haven't *yet*, but they do plan to and make it retroactive. That said, it doesn't address the text entered on the search/address bar at all, which *is* keylogging what you are doing. I can see why corporations might want to think twice about allowing this on their system.


This 'organization' you got this email from woudln't happen to be in Redmond or Cupertino, would it?

by Galphanore September 4, 2008 10:27 AM PDT
Let your security officer know they've changed the license agreement, that section now reads "11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services."
by HighlySuspicious September 3, 2008 1:12 PM PDT
Hasn't all this same information been logged in 'Google Web History' for years now? What makes it any different other than they are doing it THROUGH THEIR OWN BROWSER now?
Reply to this comment
by The_Decider September 3, 2008 1:23 PM PDT
No, this is information that would never otherwise touch Google servers.

Using a Google browser means that EVERYTHING you do online can be cached and used in any way, including making it public.

This is a significant difference.
by kaibelf September 3, 2008 5:15 PM PDT
Huge HUGE difference. This one is logging your information as you type, before you actively implement a search at all! It's essentially a keylogger, which is WAY out of bounds for a sensible person. One typo and you could end up on the bad end of legal action, for example.
by drbasic September 3, 2008 1:17 PM PDT
I downloaded and intalled Chrome and then came here, I am back on Firefox . Firefox was snappier at loading the news.com and a few other sites I tried. I did not try and do just plain java script. Just normal website rendering with plenty of images and firefox is still the best browser out there. Feel free to try it yourself. There is a weird lag in Chrome where it is downloading web pages, it is real apparent when it is not cached maybe it's not properly threaded.

After reading this article there is another good reason not to switch.
Reply to this comment
by dmole September 3, 2008 1:44 PM PDT
I will admit I am not the smartest person when it comes to browsers but... the whole blurb about having rights to what you submit.... Doesn't that just cover their rears in regard to displaying their search results and how they come to those results based upon your searches?
Reply to this comment
by Galphanore September 4, 2008 10:32 AM PDT
It does, and they've clarified it. Read the current (As in updated three hours after chromes release, two days before this article was written) license.
by jsutaguy September 3, 2008 2:02 PM PDT
1. Your ISPs are not only logging your search terms, they are logging the content of email that you send and receive. It's called Deep Packet Inspection, and it makes Google's logging look like little bo peep. By ISPs, I mean AT&T, Comcast, Verizon, Charter, etc. As someone above pointed out, if you think that your web activity is not being monitored, you are out of your mind. Specifically, the "Patriot Act" gives the FBI the right to, without a warrant, monitor all your 'electronic transmissions'. This includes all your internet activities. This is NOT tinfoil hat stuff, it is well documented. Of course, once the FBI had this 'right', they reasoned that it was a good idea to monitor ALL interenet traffic, in case they ever needed to go back and see what somebody was doing last week, or last month. Google "Carnivore". Real program, supported by real hardware that has been installed in AT&T....one of their engineers discussed the installation of a secret server room which used NSA equiv dead man traps to enter/leave, and which only US government agents were allowed to access. Installed in AT&Ts main router room.

The ONLY way to surf anonymously is via an anonymizer like Tor, and the use of a VPN to an anonymized server. Even then, I'd bet the government has figured out to track you (maybe the built in NSAKEY in the Microsoft security DLL?) Google NSAKEY for THAT info.

*Sigh*...whatever happened to the USA I once knew?
Reply to this comment
by 4score20 September 4, 2008 9:10 AM PDT
*Sigh*...whatever happened to the USA I once knew?

It never existed. It was a self-perpetuating myth; a dream. The natural consequences of waking up from it is disapointment, which is probably what you're feeling. Welcome to the waking state!
by Foggy September 3, 2008 2:04 PM PDT
I read most of Google's EULA and I immediately set it up so it won't get my information legally. First look gives me zero need to use it. It's home page is bland and uninspiring, like Firefox. I'll try it out some more but will probably delete it. I'm writing this comment while in Flock. the premier Netscape inspired Browser. This browser could be a big problem for Google down the road, nobody likes Big Brother recording your every move.
Reply to this comment
by TV James September 3, 2008 2:19 PM PDT
So how often do we type something incriminating into our address bar and then not do anything with it? It's not like I'm typing "I'm going to steal a car from the Google parking lot at 3 pm today." and then erasing it and going to CNN.com.

Or type "playboy.com" and think "oh, wait, I meant playskool.com"

Of course people are going to raise a stink, and yeah, I'm sure people more paranoid than myself are going to flame me with responses, but frankly, I'm not sure I understand all of the hullabaloo.

Granted, I will concede that it doesn't sound entirely "not evil" and do they really need my IP address? But I'm not ready to go running around "The sky is falling."

Especially for a browser that doesn't do true full screen, doesn't offer searching inside fields, doesn't do Firefox add-ons and pretty much fails to run Remember the Milk. It's a shiny new toy that stole the Pokemon logo, but it's not something the world is going to be turning to any time soon.
Reply to this comment
 See all 75 Comments >>
advertisement

In the news now

Photos: Gadgets we're thankful for

Some of your favorite Crave contributors reveal which gadget or aspect of technology they're feeling most grateful for these days.



BlackBerry Storm packs more of a drizzle

review Phone has an innovative touch screen that provides tactile feedback, but the onscreen keyboard is a bit cramped, and the smartphone can be sluggish, and speakerphone quality is choppy.



About Beyond Binary

During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft.


Beyond Binary is a look at how technology is changing our lives and the people behind all that life-changing stuff, with an extra emphasis on that which emanates from Redmond, Wash.

Add this feed to your online news reader

Beyond Binary topics

Binary Bits

    Follow Ina on Twitter (Twitter name: InaFried)

    Featured blogs

    advertisement
    advertisement

    Inside CNET News

    Scroll Left Scroll Right
    News
    Latest news
    Business tech
    Green tech
    Wireless
    Security
    Media
    Popular topics
    Apple iPhone
    Apple iPod
    CES
    Cell phones
    Dell
    GPS
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    Corrections
    Customer Help Center
    RSS
    What's new
    About CNET