Knowing When to Say No

In a previous post, I expressed reservations about privacy in Google’s new operating system. But that reservation was based on impressions rather than actual use. Here I describe how my impressions held up during 10 hours of hands-on testing of the OS and browser [1].

I downloaded the source code for Google’s Chromium OS and then built and installed the image on an Asus EeePC 1000 netbook [2]. Included was a pre-built binary of the Chromium-based browser.

First a few words about product names, because unfortunately they are a bit confusing here. Chromium OS and Chromium are Google’s names for the open source developer versions of the proprietary Chrome operating system (OS) and Chrome browser. The Chrome browser is currently in beta and is available for Mac, Windows, and Linux as binary downloads. But the OS is only available in the open source version. It differs from the Chrome OS that OEMs will ship on netbooks in late 2010. According to a Google FAQ:

Specifically, Google Chrome OS will run on specially optimized hardware in order to get enhanced performance and security.

When Chrome OS gets released, it will be based on Google firmware that is not part of the open source versions of Chromium OS. So I was unable to test several important features like fast boot, verified boot (a security measure), and system recovery.

As you’d expect in a developer release, the version of Chromium OS that I tested was a little buggy (eg, wifi did not work) and incomplete (eg, no JSON for bookmark imports). But these are really minor matters with simple work-arounds (eg, ethernet instead of wifi and HTML instead of JSON).

Bugs, partially complete features, and even missing features don’t really concern me at this stage. I was mostly interested in design and architecture decisions and whether I as a user would feel safe when using the OS and browser.

By safe I do not merely mean secure. Google has engineered an impressive product with security as a foundational principle. I’d expect Chrome OS to excel in this area, although I’ll reserve final judgement until I can test the Google firmware that will provide much of the security foundation.

By safe I also mean private. This I could and did test, although the tight integration of Chromium the browser and Chromium the operating system sometimes obscures exactly which Chromium is being tested.

When Chromium OS boots, you’re presented with a login screen. At present the login requires a Google account password. But in a Login design document, Google mentions OpenID as a future possibility and says they “want to ensure that people can fully use Chromium OS without needing a Google login.” Login design appears to be under active discussion, re-design, and development.

Chromium OS devices are cloud-based devices meant to run web services. The login requirement facilitates single signon to multiple web applications. By default, Chromium opened my Gmail and Calendar apps in separate tabs. I could logout of these apps without logging out from the OS. I could also easily browse to other Google apps via a Chromium icon that appears prominently in the far left of the top panel. Judging from the Google partner applications that also appear via this icon, single signon across multiple applications is an important design goal.

Single signon is a compelling benefit for the user. No one likes to re-enter authentication information multiple times a day. But the user also makes an implicit bargain with Google for this convenience, security, and price (ie, free). The entire time you use Chromium OS, you are logged in and therefore identifiable.

I encourage Google to allow users to opt-out of the initial OS login.

I spent the first 3 hours testing Chromium OS and Chromium with default configurations. This is the path of least resistance that many users may take. The test involved normal browsing of web pages bookmarked from RSS feeds. At the end of the test I’d accumulated 105 cookies from 38 different sites, many of which were third-party sites that I did not initiate. My browsing history recorded 63 events, all datetime stamped and all including the associated url.

However, this is just the tip of an iceberg of personal data collected in standard browser mode. The Google Chrome Privacy Notice provides more detail than I can include here, about information collected by Google and by other website owners. It also includes warnings about use of third-party Chrome extensions and an eye-opening description of information stored locally on your computer when using Chrome. This latter category includes cached text of pages visited; IP addresses obtained via DNS pre-fetching of links on pages you visit; a searchable index of pages you visit; thumbnail screenshots of pages; and, of course, browsing history, download history, and cookies set. If you enable Chrome’s synchronization feature, your browser settings (including bookmarks) will also be stored on Google servers.

Is all this data acceptable use? Well, it depends on each person’s level of tolerance for scrutiny of personal behavior by a private company. For me, it is not acceptable. As I mentioned in my previous post, I use the web energetically but very cautiously.

So as a second test I activated Incognito mode. In this mode, web pages and downloaded files are not recorded in browsing or download history. All new cookies are also deleted when closing the Incognito window. In a Security Overview design document, Google describes Incognito mode this way:

• Users can initiate a completely stateless session, which does not sync or cache data.
• All system settings would be kept out of this session, including networking config.

After many hours of Incognito use, I had no browsing history, no download history, and a single Google cookie. This is a happy result for a cautious web user. It is, however, quite easy to accidentally leave Incognito mode and bounce back to standard mode, so cautious users will also want to change Chrome’s default browser settings to opt-out of several features. See the Privacy Notice or Chrome Help for notes on how to opt-out and disable features.

It’s not clear to me what Google means by the term stateless and how it relates to common definitions (eg, see Wikipedia and stateless server). The word gets used when Google describes Incognito mode for Chromium (the browser), yet the entire occurrence appears in the context of a design document for Chromium OS (the operating system). I interpreted this to mean that stateless was a feature of the both the browser and the OS, but this is just a guess on my part. One of the Chromium OS design documents lists the stateless feature as “coming soon,” which also supports the notion that the term refers to something larger than just Incognito mode in the browser.

I encourage Google to clarify the stateless concept. It’s too important to leave it open to individual interpretation.

One final comment. You may have noticed in the block-quote about Incognito mode, the use of the term cached data. This is another area where Google could provide greater detail. What exactly does cached data mean? And what data does it include?

Some cached data is identified in the above discussion of Chrome data stored locally. But there appears to be an OS as well as a browser component to cached data. I got this sense from a Chromium OS design document called Protecting Cached User Data, where the following statement appears:

Chromium OS devices should provide privacy protection for user data stored on the local disk. In particular, some subset of a user’s email, pictures, and even HTTP cookies will be stored on the local drive to enhance the online experience and ensure Chromium OS devices are useful even when an Internet connection isn’t available.

I understand the offline rationale. But I wonder if it isn’t more complicated than that. Google’s Native Client technology will allow web-based applications to run native (ie, local) code from the Chrome browser, thereby using local resources to boost the performance of web apps.

To my knowledge, Google isn’t talking and the role of Native Client in Chrome OS is currently unclear. This merely encourages speculation that Native Client and local data are actually strategies in the competition between Google and makers of desktop applications.

How would that affect user privacy? Again, it’s impossible to tell from any of the Google design documents I reviewed. But it doesn’t leave me with a warm and fuzzy feeling.

I encourage Google to prepare a privacy notice for Chrome OS as it has for Chrome and other individual products. Without one, we’re left making mostly uninformed guesses.

Am I likely to use Chrome OS when it arrives in late 2010? It’s too early to provide a firm answer. I’ll re-evaluate the operating system at release time. Currently there are too many unanswered privacy questions. But my guess is that I will selectively use the Chrome browser but not the Chrome operating system.

---

Notes:
[1] If you’d like screen shots and a fair summary of Chromium OS features, I recommend Dedoimedo’s Google Chrome OS – Is this the future?
[2] The version of Chromium OS was 0.5.25.201001051736 Developer Build aa10e830.F