131

I noticed that in Google Chrome, if I type in file:///C:/Users/MyUsername/Desktop/ it shows me all of the folders on my Desktop, and I can type open up PDFs and such in chrome just by typing in the file path.

What processes and systems are in place so that Google is not able to copy data stored on my computer? What processes and systems are in place so that someone who writes a Chrome extension is not able to copy files stored on my computer?

Pro Q
  • 1,349
  • 2
  • 7
  • 10
  • 97
    And would we even know if Google started pulling little bits of information from our computers here and there? Or already are? – Apollys supports Monica Jun 11 '18 at 18:55
  • 13
    Might be interested in reading about [Qubes OS](https://en.wikipedia.org/wiki/Qubes_OS). A more practical workaround might be to install a web browser in a virtual box, e.g. in Hyper-V on Windows 10. – Nat Jun 11 '18 at 20:18
  • 20
    I don't think this is limited to chrome, pretty much any web browser can do the same thing ... file:/// just says the URI is local to the computer it's installed on. – aslum Jun 11 '18 at 20:34
  • @aslum Agreed, Chrome was just my particular example. In the answers and other [comments](https://security.stackexchange.com/questions/187556/what-stops-google-from-saving-all-the-information-on-my-computer?noredirect=1#comment368741_187558) it appears as though it's not even restricted to web browsers. – Pro Q Jun 11 '18 at 20:42
  • 22
    @ProQ the pithy, answer that isn't an answer is: The same thing that keeps any other program from doing so: If it did, it would rapidly become known as malware/virus and blocked by AV programs. – aslum Jun 11 '18 at 20:44
  • 34
    @aslum Chrome's already [been caught scanning files](https://www.engadget.com/2018/04/07/chrome-cleanup-download-scan/). But, dunno if most folks really care that much. – Nat Jun 11 '18 at 20:48
  • 5
    Storing the contents of everyone's hard drive would take a lot of storage space and cost a lot of money ...and what, if anything, would they stand to gain from that? Do basic business sense and a desire not to be sued out of existence qualify as process and systems? – HopelessN00b Jun 11 '18 at 21:30
  • 12
    related xkcd : https://xkcd.com/1200/ – everyone Jun 12 '18 at 10:10
  • 8
    News flash: Any exe (not just Chrome or other browsers) has basically unrestricted access to your computer. They can also connect to other computers on the local network (or Internet). I thought this was common knowledge. – gre_gor Jun 13 '18 at 17:23
  • @gre_gor Not common knowledge at all. I'm planning on majoring in computer science, and I had no idea this was possible. I assumed everything was sandboxed by default. I was talking to my dad about this question and learned about the local network connection. (If you could provide a link on how that connection works, that would be wonderful.) I think computer knowledge is being taught at a very different level nowadays, and very few people know that this is how they work. (Me included until I asked.) – Pro Q Jun 13 '18 at 18:42
  • @Nat That really does sound like a bug though, if you already downloaded the files through Chrome then it could have examined them while writing it to your hard drive, it wouldn't make much sense from an espionage perspective to do it again later. – MrLore Jun 13 '18 at 18:54
  • 1
    @MrLore it was going through files that had nothing to do with Chrome (not even downloaded using Chrome). I still think it was a bug, but a weird example that fits this question quite well. – Pro Q Jun 13 '18 at 18:57
  • 2
    On a side note, Windows, Word, Excel, Paint, Freecell, and World of Warcraft can all scan your files and make changes to your computer in a manner commensurate with your user permissions. Chrome is no different. It's just another program. – John Wu Jun 13 '18 at 23:15
  • 3
    @Pro Q Sandboxing is a thing with certain *mobile* devices, and with desktop apps that use a non-native framework like Java, and with special OS setups (eg Linux with apparmor). An .exe (or .scr or .dll for that matter) on a Windows PC or server is only restricted by the user permissions and UAC. – rackandboneman Jun 14 '18 at 07:16
  • 2
    Actually, google already knows enough about you (us) because they track every link you click on a google search. Nowadays, that's pretty much all you need, since a lot of people don't type the website address anymore but look for it on google. They also usually have all the e-mail addresses (and typically phone numbers) of your contacts, they scan the content of your e-mail, so they know about both you and the sender/recipient of the e-mail, they know which videos you watch and so on. Copying the data on your pc is not going to be worth the effort. – ChatterOne Jun 14 '18 at 10:48
  • 2
    As an aside, there's plenty of tooling available (albeit not necessarily anywhere near free-of-charge) for analyzing what an application is up to -- if Chrome were accessing content it couldn't be expected to, and then doing network transfers of a comparable size, that's not a hard pattern to detect from endpoint reporting that any big corporation with a large security budget will have deployed across their infrastructure. – Charles Duffy Jun 14 '18 at 17:07
  • 2
    If you want more security, you typically run programs in a virtual machine, such that they have no access to the "outer" system. – Willem Van Onsem Jun 15 '18 at 09:35
  • 2
    If you don't trust a software publisher, don't install their software on your machine. – IanF1 Jun 16 '18 at 14:04
  • 2
    I agree with @gre_gor that this is common knowledge that native desktop software you run normally has the same privileges as your file browser. In fact, this question is damn silly. Downvoted. – Greendrake Jun 17 '18 at 09:55
  • ANY browser will do that, though the way the data is displayed will be different. The desktop is just a directory on your hard drive, and browsers can see and display those, they've always been able to do this. – jwenting Jun 19 '18 at 08:55

8 Answers8

228

What processes and systems are in place so that Google is not able to copy the data on my computer?

None. Google Chrome usually runs with the permissions of your user account. The application can then read and modify local files to the same extent your user account can. (These permissions apply to most of the programs you're using.) So you need to trust Google in that they don't ship a malicious update that spies on you, or keep sensitive files inaccessible to the account you're running the browser with. Alternatively, there are most likely sandbox implementations for your OS that let you run Chrome in an isolated environment with restricted access to the filesystem.

What processes and systems are in place so that someone who writes a Chrome extension is not able to copy files on my computer?

Chrome extensions have limited privileges by default. An extension needs to explicitly request (declare) a permission to interact with documents on the file:// scheme.

Also note that your browser disallows ordinary websites to read or even redirect to file:// URIs. So while your local files are accessible to the Chrome process, they are not exposed to the web.

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • 1
    How would I go about making files inaccessible to the account I'm using to run the browser? – Pro Q Jun 11 '18 at 16:11
  • 8
    @ProQ That depends on the access control mechanisms of your OS. Simply speaking, have a separate account and set the permissions of sensitive files so that other users can't access them. – Arminius Jun 11 '18 at 16:17
  • 6
    Chrome being able to access your hard drive is why you can upload files by dragging and dropping the filename into a webpage window. "You need to trust Google in that they don't ship a malicious updates that spies on you" Or have vulnerabilities that can be exploited. – Acccumulation Jun 11 '18 at 18:01
  • @Arminius wow why isn't this known by many others? I knew that google knows stuff, but this is a completely new level. – watchme Jun 11 '18 at 18:28
  • 284
    This is also true of almost any other software you run on your PC. Just because it doesn't expose a "file://" browse function, your music player, video player, your Steam games... any or all of them are "trusted" to not scan your stuff and log it. This isn't just a "google" thing. – JesseM Jun 11 '18 at 18:39
  • 27
    @watchme - Don't conflate Google with Chrome. *Your* browser, sitting on *your* system can access your files. But (barring anything malicious) Google itself has no access to any of them. – Bobson Jun 11 '18 at 19:16
  • 78
    @Bobson Well, "barring anything malicious" kind of bypasses the point of the question. – David Z Jun 11 '18 at 19:28
  • 14
    "ordinary web sites are never allowed to read or even link to file:// URIs" - of course no standard (of HTML) prevents a website from containing the character sequence ` – Hagen von Eitzen Jun 11 '18 at 20:47
  • 2
    @DavidZ especially since Google's Code of Conduct motto is no longer "Don't be evil". ... – BruceWayne Jun 11 '18 at 22:18
  • 4
    @JesseM And sometimes, this trust gets abused. There's this Flight Sim plugin developer who has repeatedly been caught installing password thieving software and malware executable alongside the software, ostensibly as a way to combat piracy. – Nzall Jun 12 '18 at 08:30
  • 2
    @BruceWayne Wait, seriously? That's a bit [worrying](https://en.wikipedia.org/wiki/Warrant_canary). – Nat Jun 12 '18 at 19:34
  • 3
    @JesseM - While "also true of almost any other software you run", you can block data transfer with outbound firewall whitelists. Which is not something you can do to a web browser (without losing all its functionality). – Nigel Touch Jun 12 '18 at 20:21
  • 1
    @BruceWayne & Nat: My understanding is that that provisor, whilst a fun addition that a couple college kids decided to add to their company, doesn't have much legal standing ("evil" not being a legal term), and it's inclusion was becoming a growing concern for much the same way. i.e. Is Chrome version 66.6r... going to be considered evil? Not to most, but some may take issue. It's not about what we think of as the big evils, but the nuisance caused by the differing concept of evil, to each person. – Shane Gadsby Jun 13 '18 at 00:43
  • 7
    Not sure where that "don't be evil is no longer Google's motto" story comes from, @BruceWayne. Just open up their [Code of Conduct](https://abc.xyz/investor/other/google-code-of-conduct.html). It's still there, at the very bottom. – Just a student Jun 13 '18 at 09:27
  • 2
    @Bobson Actually, Chrome for Windows actively scans your computer and sends info about suspicious files to Google (and ESET, I assume). So, with that amount of orders from the mothership, it's hard to not assume that whatever Google wants from your computer, Chrome will deliver. – Agent_L Jun 15 '18 at 12:44
  • 3
    @Justastudent They [removed most references to it](https://gizmodo.com/google-removes-nearly-all-mentions-of-dont-be-evil-from-1826153393), except that single one at the bottom. – molnarm Jun 15 '18 at 15:28
  • 1
    @NigelTouch "_you can block data transfer with outbound firewall whitelists_" But then the program could just use the installed mail agent to send the information as attached file to some address. Or if no such agent is found, to open the browser and the file to a file sharing service. It might be slightly more complicated, but not much. (In may even be easier if you don't know how to use the socket API but know how to launch and interact with other programs.) – curiousguy Jun 18 '18 at 09:18
86

A piece of unsandboxed software running on a PC/Mac has (generally) the same privileges as the user running it and therefore can access any data that can be accessed by the user.

You are trusting Google (and any other software vendor whose code you execute) not to do anything malicious with that access.

If you don't trust Google, your only option as a general user of software is not to run their code.

The situation with Chrome extensions in somewhat different. Google places restrictions on what the extension vendor is able to do, and when you install an extension it will tell you what permissions you are providing it.

Obviously you are still trusting Google to have coded these restrictions correctly, and you are still potentially trusting the extension authors with some permissions that could be used to take malicious actions.

Kevin
  • 202
  • 2
  • 10
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 1
    If you consider implementing simple sandboxing measures (eg running chrome with different user account, or in a VM, or encrypting critical files and not having them open while chrome is running) out of scope for a "general user", yes. – rackandboneman Jun 14 '18 at 07:21
  • You can also run the open-source equivalent of Chrome, Chromium. – Nonny Moose Jun 15 '18 at 23:35
  • @NonnyMoose If you have automatic updates, it doesn't matter if you compiled one version from source, as the update system inherently trust a signature of a provider (assuming the system is correctly designed), and the signer can make you download and run any code he wish. – curiousguy Jun 18 '18 at 08:25
  • I'ld have expected a "run your browser in a secured container" hint instead of "If you don't trust Google, your only option as a general user of software is not to run their code." — or wouldn't a containerized browser provide appropriately secure separation between OS and program (assuming correct container configuration)? Or was that what "unsandboxed" was meant to exclude? (which would render this comment to being superfluous noise.) – e-sushi Jun 18 '18 at 10:37
  • @e-sushi A secure container looks like a description of "sandbox". – curiousguy Jun 18 '18 at 17:58
  • 1
    TBH I was keeping this answer at a level of general computer user, rather than diving in to the technical details of possible mitigations. If you want to get technical there's loads of stuff you can do , from VMs, to containers to specific OS like Tails. Although all that said every time you do that you're adding a new set of trusted parties (the people who write the isolation software) to your list :) – Rory McCune Jun 19 '18 at 06:27
40

If you are running a Linux distribution with SELinux, it is possible to have an additional layer of security. SELinux is an OS-level technology which allows tight restrictions on what processes — like your browser process — can access. In fact, in Fedora and in Red Hat Enterprise Linux (disclaimer: I work for Red Hat, on Fedora!), there is a light confinement by default for Firefox and Chrome. This turns out to be difficult and inconvenient to make more strict for most users — see this blog post by SELinux guru Dan Walsh for more.

There is ongoing work in Linux in general to run more user-level applications with greater restrictions (see for example Flatpak).

mattdm
  • 2,741
  • 1
  • 16
  • 17
  • Just to throw a couple more examples of application-level sandboxing into the mix: snapd/snapcraft (Linux), UWP (Windows) and Sandboxie (Windows). – Bob Jun 12 '18 at 06:00
  • 1
    Also AppArmor, a competing technology to SELinux. (Both SELinux and AppArmor are building-blocks in higher-level sandboxing like snap and flatpak.) – mattdm Jun 12 '18 at 12:51
  • 6
    @mattdm I just know AppArmor as *that thing I have to work around to get MySQL working properly on Ubuntu, now.* – user1717828 Jun 13 '18 at 00:37
  • 21
    And that's generally the problem with strong security - it gets in the way of user convenience. This is not a bug, but an unavoidable aspect of design, the same way locking your front door when you leave the house means you need to pull out your key to unlock it when you get back home. – Shadur Jun 13 '18 at 07:18
  • 8
    @Shadur It's probably more correct to say that it's a consequence of trying to add strong security to a legacy system that doesn't currently have it. If desktop and server apps had always had to explicitly enumerate the permissions they need (in the way that mobile apps do now), there would be a lot less friction. – James_pic Jun 13 '18 at 11:55
  • You can also run Chrome inside an Linux Container, with limited access to the filesystem. This is what I do. – Josh Jun 13 '18 at 14:08
  • 1
    @James_pic agree, but just enumerating permissions is only a (good) first step. Users generally need to be educated to understand what the are granting permission to. Most non-technical people would just accept the enumerated permissions asked for by an app - pretty much like the end user agreements whilst installing software. – Sudhanshu Mishra Jun 13 '18 at 22:53
  • @Shadur finger print scanning and eye recognition etc are all more user-friendly means of unlocking a locked door that don't involve the user remembering to carry a key and then require them to take it out. Would there perhaps be a digital equivalent? – ESR Jun 18 '18 at 05:06
  • 1
    @EdmundReed Even if granting temporary permission is as easy as clicking "Yes", users will develop click fatigue and just automatically click on any security prompt, like in UAC case or mobile app permission dialog – Martheen Jun 19 '18 at 03:20
23

Lawyers. You have a contract with Google stating what they will do / you allow them to do. This is called the Google Chrome Terms of Service . And obviously, you have carefully read it before installing it.

This includes¹ excerpts like this (emphasis by me):

By default, usage statistics and crash reports are sent to Google (…). Usage statistics contain information such as preferences, button clicks, and memory usage. In general, usage statistics do not include web page URLs or personal information, but, if you are signed in to Chrome and syncing your browsing history in your Google Account without a Sync passphrase, then Chrome usage statistics include information about the web pages you visit and your usage of them. For example, we may collect statistics to identify web pages that load slowly. (…) Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time the crash report was triggered. We may share aggregated, non-personally identifiable information publicly and with partners — like publishers, advertisers or web developers. You can change whether usage statistics and crash reports are sent to Google at any time. Learn more. If Google Play apps are enabled on your Chromebook and Chrome usage statistics are enabled, then Android diagnostic and usage data is also sent to Google.

Thus, by installing Google Chrome (and not disabling these options), you are granting consent for giving this information to Google.

Would they be technically able to gather more information than what they stated? Yes. Are they purposefully doing it? That's unlikely, as it would place the company in a precarious position should they get caught stealing users data. It is preferable for them to add a note in their policy that covers their gathering (probably including an acceptable rationale like "this will allow us to provide you content more suited to your interests", in an attempt to make it less daunting), as legitimates their practice, and few people read the legal terms, anyway.

Although a story about Google Chrome privacy statements wouldn't be complete without telling how, when Google Chrome launched, its terms of use originally made the user

“give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through” ²

a sentence they were using on other services. After an uproar with this seemingly abusive terms, they updated their terms the next day, stating that for whatever content the user produces using Google Chrome, he retains his rights.

¹ Actually in the Google Chrome Privacy Notice, incorporated by the eula.

² https://www.mattcutts.com/blog/google-chrome-license-agreement/

Ángel
  • 18,188
  • 3
  • 26
  • 63
19

What processes and systems are in place so that Google is not able to copy the data on my computer?

There's not anything in place that makes it so they can't but there's something in place that makes it unlikely that they would: trust.

Google's product is you. They want to know everything about you and be able to predict every single decision that you will ever make. If they can do that then they can encourage you to buy Ford instead of Chevy when it comes time.

They have a social contract with us that says that they'll provide useful tools (and then kill them), like Google Drive, Chrome(ium), Blogger, Gmail, Google Photos, Maps, YouTube, Search, etc., and in return we'll let them mine our information about us with the understanding that they won't do too many terrible things, and that they'll try to make the web a more pleasant place, with more relevant advertising and none of the annoying things that make us want to break someones fingers very, very slowly for putting one of those stupid audio ads online.

Part of that trust is that if we install one of their programs that they won't put code in it that will compromise our systems, or allow them to be.

Because if we don't trust Google, then we won't give them access to the product that they are so incredibly interested in - us. The more we trust Google, the more valuable their product is (us) that they can sell to advertisers. It's in Google's best interest to do things that will enhance that trust - because the more we trust Google, the more they can charge advertisers, because they can say, "Look, we know these people, and they are willing to buy/read/listen/watch the things that we recommend. If your product matches their needs and interests then we will recommend your product to them and they will probably buy it because we were the ones who endorsed it."

That's the system that's in place to make it a very very bad idea for Google to do any kind of badness with Chrome, or any of their other software. Trust is something that's difficult to earn back once it's lost, and Google most certainly knows that.

Wayne Werner
  • 1,755
  • 3
  • 15
  • 20
  • 1
    Then please explain to me: No one I know really trusts Microsoft, yet everyone installs Windows. Why should it be different for Google/Facebook/Amazon/... – Alexander Jun 14 '18 at 14:56
  • 1
    @Alexander easy - people are lazy and comfortable with the familiar even if it's worse for them. And Microsoft subsidizes the purchase of some hardware, which is why it's usually cheaper to get a computer with Windows installed than with no OS and install Linux yourself. Obviously we put up with a certain amount of Google screwing us - taking away Google Reader, turning more and more into a walled garden (no GTalk/jabber interface anymore, etc.) - Same goes for Microsoft. As long as we can pretend it's not a problem, we'll put up with it. – Wayne Werner Jun 14 '18 at 15:25
  • 4
    I would disagree about people trusting Microsoft. People gripe about Microsoft, but they don't expect them to be using Windows to record their password keystrokes on purpose, to keep profiles of their porn habits, to try to build a database of their medical history, and then to use all that data against their users. There are degrees and kinds of trust. Also, I think people complain about Microsoft at least in part because it's become fashionable to complain about Microsoft. But I digress. – xdhmoore Jun 14 '18 at 22:28
  • @WayneWerner I wouldn't say that Google is necessarily "screwing us". If a third party wants to give you something for free they have an absolute right to in the future not give it to you for free. It would be entirely different if we paid for their services. – dotnetengineer Jun 15 '18 at 19:49
  • 2
    @dotnetengineer Sure - but as I mentioned, it's technically not *free* - it's just an exchange with an implicit value. – Wayne Werner Jun 15 '18 at 20:01
3

Arminius's answer of "None" is the most correct answer... I just wanted to add an answer which was too large for a comment:

What processes and systems are in place so that Google is not able to copy the data on my computer?

If you have one, and it's properly configured, your Outgoing Firewall can hold this responsibility... the problem is, since there;s so much traffic when you're browsing the web that it quickly becomes infeasible to set up the rules properly.

As an example, here's a screen shot of what happens on my computer without a rule allowing Google Chrome network access globally:

Google Chrome wants to connect to security.stackexchange.com on TCP port 443, do you want to allow this?

If you knew Chrome was contacting a google domain for malicious usage, you could deny that:

Deny button highlighted on Google Chrome firewall prompt

The issue is that while browsing the web there's such a wide variety of domains that it would be trivial for Google to "trick" users to allowing content to a domain and bypassing this restriction. But, if you're externally careful and targeted (read: paranoid) this is one method you could employ.

Josh
  • 1,096
  • 9
  • 13
  • 3
    This is a bit silly though. If you don't trust the domain `google.com` then you shouldn't be using Chrome in the first place! Also, if you just wanted to block access to particular domains, there are easier ways of doing that (one way is to set them to localhost IP address in your hosts file, among other methods). – Muhd Jun 14 '18 at 04:43
  • Agreed @Muhd regarding if you don't trust Google, don't use their browser... but that was the question. Note that setting `google.com` to `127.0.0.1` or something else in the hosts file does not block applications from accessing google, it just (probably) causes the system's DNS resolver to return that IP. And, this was an example... I use this technique with software that I don't want to call home, or limit outgoing communication to my LAN / my servers, for example... where I don't know what it will talk to but I know what I'll allow it to talk to. – Josh Jun 14 '18 at 12:39
  • 1
    Fair enough. It does seem like a useful technique to be aware of. – Muhd Jun 15 '18 at 01:15
3

There are several answers to this, including an accepted answer, but none to my judgement captures the appropriate nuance.

The nuance involves the distinction between "policy" and "mechanism." This distinction transcends technical systems, and, not to put too large a point of it, exists in all areas of regulated human endeavor.

In the large, there is no mechanism preventing your doctor from revealing your sensitive medical data, technically encoded or no. In the small, there is no mechanism preventing the garage where you park your car from giving your car to some other party. In a free society, anyone can do most anything without immediate oversight or ramifications. In other words, there are no direct, immediate mechanisms preventing bad behavior.

Instead there are policies- implicit ones usually called norms that most people learn by kindergarten, and more sophisticated explicit ones called statutes and laws and similar- which have mechanisms of enforcement, to be sure, but under which the vast, vast majority of compliance occurs without those enforcement mechanisms being exercised. This is obviously the trust point mentioned in the other answers. A free society is only possible with a culture of very, very high trust.

In software, we are used to thinking of things in terms of mechanisms- such and such is impossible because of this and that technical difficulty. What is important to understand is in software, even more so than in the real world, ALL mechanisms are transient and fungible. What was impossible yesterday becomes commonplace tomorrow.

So the ONLY thing "preventing" anything bad from happening in the use of a piece of software is ultimately policy- implicit norms and compliance with explicit rules- Privacy Policies, Terms of Service, and so on. And if you read those carefully you realize that no one makes any useful legal promises to not do anything bad.

So be careful out there. The only thing you have is your ability to make informed judgements about trust.

Jonah Benton
  • 3,439
  • 12
  • 20
  • I think [Wayne Werner's answer](https://security.stackexchange.com/a/187632/176607) had a similar sentiment, but I appreciate the clarity on the differences between policies and mechanisms. – Pro Q Jun 18 '18 at 14:46
  • 1
    Yup, agree. Cheers... – Jonah Benton Jun 18 '18 at 14:48
2

What stops Google from saving all the information on my computer through Google Chrome?

Unplugging your computer from the network will do this. To further secure your computer you can also turn off wifi, bluetooth, etc., and always use only manual input with no removable devices along with RF shielding to protect against EM leakage. That will protect you from everything except physical intrusion.

For that, operate in a SCIF, or encosed secure farady cage with equipment that complies with ICD 503. Require operators to remove all clothing and other objects, and perform physical searches including x-ray before physical access to prevent introduction any bugging device. Also perform the same search on egress to ensure nothing is being removed.

ggb667
  • 152
  • 2
  • 4
    While this generic answer is a perfect field manual for tin foil hatters, it does not provide an answer to the question asking "What stops Google from saving all the information on my computer through Google Chrome?" – e-sushi Jun 18 '18 at 10:44
  • In other words you have no idea, right? – SantiBailors Jul 12 '18 at 07:01
  • Unplugging prevents any information from being removed from your computer. Thats the only thing that works. Google wants ALL your information. What do you think the colud, google docs, etc. is for? – ggb667 Jul 18 '18 at 18:25