Google Chrome privacy worse than you think

TJ Marsh · September 9, 2008 · Short URL: https://vator.tv/n/3f7

Ways it could improve!

I think Google chrome is pretty awesome. A friend of mine let me in on some info about the secret project about 6 months ago but I didn't get to actually try it till yesterday. I'm pretty impressed with some of their new innovative features like independent processes for tabs, compiled javascript, and the incognito mode.

But then I realized something huge. If you use Google Chrome, Google will know every URL you type into the location bar. More than that, they will know (almost) every partial URL you type into the location bar. More than that, they will know every word or phrase you type into the location bar, even if you type it and then delete it before pressing enter. More than that, all this information can be linked with your main Google account, because Google sends your cookie along with every automatic search it performs from the location bar. Chrome keeps track of which google account you are logged into and uses that cookie to send along with its auto searches.

No other browser that I know of uses an automatic search/suggest feature in the location bar. The location bar is where you type the address of the site you want to navigate to. Firefox uses a suggest feature in the search bar. It makes sense to do it there. Google.com now has auto suggest on their homepage. It makes sense there too. Now it makes sense to also have it in the location bar in terms of a nice helpful feature. But in terms of privacy I think this is a new low. I think Google should, at the least, not be sending your cookie out with these searches. But even then they could be connected to you by IP.

Don't believe me? Go download the Wireshark packet sniffer and do some tests for yourself.

Now to be fair it seems they don't auto suggest once you've typed "https://" but who actually types that anymore? There are also some timing issues, if you type really quickly and hit enter the auto suggest may not be attempted.

I'm sure there's a team of Google data mining engineers somewhere who are giddy as shit about having all this information once Chrome becomes more widespread.

Update: As a user points out, the data will be sent to whatever search engine you set in the options. Of course it will default to Google but if you were to change it to Yahoo or MSN they would be receiving this data instead of Google.

Here's an example of what Chrome is sending to Google while I'm typing the URL www.whatismyip.com into the location bar:

GET /complete/search?client=chrome&output=chrome&hl=en-US&q=ww HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.what HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.c HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.co HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=www.whatismyip.com HTTP/1.1

Here's an example when I'm typing the search query "how to cheat on taxes" into the location bar:

GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+t HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+c HTTP/1.1
...
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+tax HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+taxe HTTP/1.1
GET /complete/search?client=chrome&output=chrome&hl=en-US&q=how+to+cheat+on+taxes HTTP/1.1

Even if I never pressed enter to submit the above search to Google, they would still have this data and be able to link it to my account.

I should point out this feature can be disabled by going to Options -> Manage -> Uncheck "Use a suggestion ..."