Sign up to our newsletter
The latest security news direct to your inbox
After having used the Google Chrome internet browser for a while now, I can say that it is generally a pretty nice browser, but I have some very serious privacy concerns.
When you open a new tab in Chrome, it displays pictures from websites you have visited. This means that if someone is sitting next to you, the moment you open a new tab, your recent browsing history is prominently displayed. The obvious response to this by some will be “Then don’t visit porn sites.” This is of course a very short-sighted response.
Do you work for a company with an internal website? Is Chrome going to show people confidential or proprietary information as soon as you open a new tab? Do you want to tell the person sitting next to you on an airplane or in a coffee shop where you bank, what stocks you own, your own medical conditions which you may be researching, that you are looking for homeopathic cures for hemorrhoids, and so on?
With Chrome you will instantly and automatically display websites you visit when you open a new tab. If a person is a victim of domestic violence, this could be an extremely serious privacy and safety problem which may result in injury or death. Simply clicking on new tab to hide the current window from prying eyes may cause even more harm.
ESET Researcher Pierre-Marc Bureau pointed out to me that already when you start typing a URL into the address bar it may display some sites you have visited. This is a valid point, however the size of the displayed data is significantly smaller, and the duration of the display is probably going to be much, much shorter. Unlike Firefox, Chrome has no setting to automatically delete the history, etc. when you close the browser and no user control over how long history and temporary files are stored.
Chrome is still in beta and when it releases, perhaps the new tab display design flaw will be fixed. For the time being, I would have to say that Chrome is inappropriate for corporate users, the worst choice for victims of domestic violence, and a miserable choice for those who like privacy and tabbed browsing.
For a product in beta it is understandable that Chrome is quite weak on configurability options, but quite frankly, with such an obvious design flaw related to privacy, Chrome went into beta prematurely.
For the time being, the work around is to clear the browsing data regularly. Another option is to change the shortcuts to Chrome. Chrome has a feature called “incognito” browsing. Incognito is quite misleading, it doesn’t make you at all incognito, but it does help with privacy… most noticeably by not displaying any of your browsing history in a new tab. Unfortunately Chrome has no setting to start in incognito mode. To start the browser in incognito mode you need to modify the command line and add “–incognito” without the quotes. I use the quick launch button to open Chrome. If you right click on the Chrome Icon and choose properties there is a field called “Target” and that tells the computer what program to run when you click the button. By default the entry for Chrome is
"C:Documents and Settings<user name>Local SettingsApplication DataGoogleChromeApplicationchrome.exe"
By adding –incognito to the end of this as shown here:
"C:Documents and Settings<user name>Local SettingsApplication DataGoogleChromeApplicationchrome.exe" -incognito
I always launch Chrome in incognito mode and don’t have to worry about the Chrome tabbed browsing privacy vulnerability (or design flaw) on my computer. Note that <user name> is the name of the user who is currently logged in.
If Google fixes this egregious privacy problem, the browser looks like it will easily contend for market share with Microsoft and Mozilla. If Google adds some additional configuration flexibility the browser will even be suitable for use by people who understand security and privacy. The inability to choose to be prompted for an action when a “secure web page” attempts to display both secure and insecure content leaves a lot to be desired. For now I would have to recommend that most users stick other current browsers, especially in a corporate environment, or if there is any need for privacy and confidentiality at all.
Director of Technical Education
Author ESET Research, ESET