Cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware and anti-DNC political phrases.
The browser you likely use to read this article scans practically all files on your Windows computer. And you probably had no idea until you read this. Don’t worry, you’re not the only one.
Last year, Google announced some upgrades to Chrome, by far the world’s most used browser—and the one security pros often recommend. The company promised to make internet surfing on Windows computers even “cleaner” and “safer ” adding what The Verge called “basic antivirus features.” What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.
In practice, Chome on Windows looks through your computer in search of CIA targets and malware that targets the Chrome browser itself using ESET’s antivirus engine. If it finds some suspected malware, it sends metadata of the file where the malware is stored, and some system information, to Google. Then, it asks you to for permission to remove the suspected malicious file. (You can opt-out of sending information to Google by deselecting the “Report details to Google” checkbox.)
Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer.
“In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation—even just to preemptively ease speculation,” Shortridge told me in an online chat. “Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of ‘user-friendly software’ that informs the policy for Chrome Cleanup [Tool].”
Her tweet got a lot of attention and caused other people in the infosec community—as well as average users such as me—to scratch their heads.
But as Johns Hopkins professor Matthew Green put it, most people “are just a little creeped out that Chrome started poking through their underwear drawer without asking.”
That’s the problem here: most users of an internet browser probably don’t expect it to scan and remove files on their computers.
When reached out for comment, a Google spokesperson redirected me to the blog post from last year and Schuh’s tweets.“For almost all users, this seems really harmless, and for those who are extremely concerned about Google seeing some metadata, maybe they shouldn't be running Google's browser in the first place,” he said.