A stark new warning for billions of Google Chrome users, as the browser is exposed harvesting very sensitive phone data without users realizing. This latest privacy nightmare should give you a reason to delete Chrome on your phone.
Last month, Facebook’s app was exposed tracking the movements of iPhone users, tapping into the device’s accelerometer at all times. Facebook is the world’s greediest data harvester, and this sensitive information can be used to monitor behaviors, linking with the extraordinary amount of data it collects.
But Facebook isn’t the world’s most successful data harvester—that prize goes to Google. Unlike Facebook, which has been hit hard by Apple’s latest privacy measures, Google’s digital ad revenues continue to soar. The reality is that while Facebook/Meta acts as a lightning rod, Google is the much bigger threat to your privacy.
While Facebook was collecting this information for itself, Chrome is happy to collect it for others—essentially enabling a free-for-all when it comes to hugely sensitive information about your every activity, your every behavior.
Researcher Tommy Mysk warns that “the motion sensor is accessible to all websites in Android/Chrome by default, [whereas] Safari/iOS protects access by a permission.” What’s much worse, though, is that Chrome does this even when it’s set to private browsing or “incognito” mode. How can this be okay?
“The way Android handles the accelerometer is much worse [than Facebook],” Mysk told me. “Apps can even read it in the background. My team implemented a pedometer functionality in our app. The app would count steps even if the app wasn’t running at all. Because the logic was a background service that ran all the time.”
In response to the security research, Google told me that “we intentionally limit the resolution of motion sensors in Chrome, and since 2019 we’ve had controls that allow users to block websites from accessing a device’s motion sensors altogether. We take user security and privacy seriously, and we’re always working on new ways to improve security and privacy in Chrome.”
But this is data that Chrome is making available to any site that asks—by default. Apple improved its security and privacy by blocking that data and mandating a specific, time-boxed permission any time it was requested. That’s how it’s done, Google.
I’ve warned before about Chrome’s woeful privacy risks. Put simply, with Chrome Google works both sides of the fence when it comes to your browsing. Providing the search and digital ad infrastructure behind the scenes, while controlling the front-end browser that you’re using. Essentially harvesting your data at both ends.
This issue is exacerbated by Google’s philosophy when it comes to your privacy—put simply again, you’re a product to be monetized to drive its huge levels of profitability. Your behaviors can be tracked across multiple platforms and services, and that information can be used to drive the world’s most valuable influencing platform.
The recent backtrack over FLoC, where Google admitted “accidentally” allowing millions of users to be secretly tracked tells you all you need to know. Then there’s the ongoing mixed messaging on private browsing, as well as default enabling users’ inactivity to be reported. Google Chrome is bad news on the privacy front. Period.
“Google has been professing their intent to figure out how to place ads in a privacy-preserving way ,” Mozilla told me recently, “but those plans keep being delayed,” while their functionality “tracks people and enables new ad use cases.”
Apple’s Webkit, which restricts the behaviors of Safari and other browsers operating on iPhones introduced specific permissions for accelerometer access with Safari 13 in 2019. That followed research exposing the very same exploitation of such permission-less access by mobile websites that Chrome on Android still allows.
Those researchers found that mobile websites were tapping into device sensors “for purposes other than what W3C standardization body had intended. We found that a vast majority of third-party scripts are accessing sensor data for measuring ad interactions, verifying ad impressions, and tracking devices. Our analysis uncovered several scripts that are sending raw sensor data to remote servers.”
That research, Mysk told me, “pushed Apple to protect Safari on iOS… I’m not sure why Google didn’t apply similar measures.” Given the research referenced ad delivery and measurement as a core focus for tapping sensors, we can hazard a guess as to why.
While Apple disables motion sensor access by default, Google not only enables that access, but despite prior warnings it also tells users this is a “recommended” setting to keep enabled. The difference between Apple and Google could not be more stark. The irony, of course, is that you’re safer using Chrome on an iPhone than an Android, because Apple blocks this type of data harvesting for all browsers.
As one developer on the Chromium discussion on this setting asks, “why would the motion sensor permission be an allow/ask pair instead of an ask/block pair? Is it just so Chrome can default to allow? Not many sites outside of Maps need the motion sensor APIs. I’ve disabled it and it’s always surprising to see a site use motion sensors.”
If providing motion sensor data to websites was a real requirement, one so popular as to justify being on by default, then iPhone users would have inundated in recent years with that permission request. But they haven’t. Most will never have seen it. Not once.
You can disable access to your phone’s motion sensors in Chrome on Android in Site Settings—but you will see that Google recommends leaving it on.
The reality is that while Apple versus Facebook has taken the headlines, the iPhone maker has arguably done more to show up Google’s privacy infractions than anyone else’s. And all the while Android plays a game of slow catch-up with the higher profile privacy innovations that Apple introduces with its iOS updates. But then we find these hidden issues that haven’t yet grabbed headlines and which remain issues.
Google emphasizes the settings it offers to change default settings—to restrict location tracking in your account, to disable monitoring the time you spend away from your device, to switch off new privacy sandbox tracking features, to stop cross-site tracking, to disable third-party cookies, to block phone motion sensing. But there’s a theme—everything is switched on out of the box unless you actively find it and change it. Nothing is private by default. And that’s woeful from a privacy perspective.
Yes, on Android, you can find and disable the motion sensor. But it’s not acceptable to rely on users proactively changing settings to protect basic privacies. Apple and others now add such measures by default. In reality, very few users know about these issues and even fewer will follow the multi-step menus to change core system settings. This is especially true when Google marks such settings as “recommended.”
We now await FLoC V2, as Google’s Privacy Sandbox continues to search for an impossible solution to protect user privacy without compromising the monetization of user data. My advice is not to wait and to opt for an alternative browser. On Apple you should use Safari, and 0n Android and other non-Apple platforms Firefox is a much better option, if you don’t want to opt for privacy-first DuckDuckGo or Brave.
Apple has led the way with Safari in defaulting to privacy-centric options out of the box. Its latest innovation, Private Relay, breaks the link between user identities and web sites, essentially undermining the core basis behind web trackers. Google could never follow their lead, it would severely damage its business model.
Chrome is isolated as the only major browser that has not yet acted to stop cross-site tracking, the only browser (illustrated by Apple’s privacy labels when used on iOS) that collects vast amounts of data, all of which link back to user identities, the only major browser that pushed out FLoC, despite numerous privacy warnings. On Android, you can delete Chrome from by disabling the stock browser in your settings.
“The rule of thumb in information security,” Mysk warns, “is that private information should be protected. Access to the accelerometer should be protected.”
Chrome is the world’s most popular browser, controlled by the world’s largest digital advertising giant, by the entity that controls 75% of web tracking. The maths is simple. Until users make choices that put privacy first, we can’t expect anything to change.