One of the other things Jabra and I talked about that worried a lot of people was the fact that Google’s Safe Browsing software (built into Firefox and Chrome) could be used to track them. Safe Browsing is designed to protect you from phishing and malware sites by using a blacklist approach that gets downloaded to your browser on a regular basis. In an experiment that I let run for 24 hours, I watched the amount of connections Firefox made out to Google. It averaged around 30 times an hour. It was more like 12 times and then 30 minutes later there would be 18 more and so on. So it wasn’t precise. Also, it may not have been a completely valid experiment because I may not have had the whole list in place since I never use Safe Browsing. The browser may have been trying to download the whole thing, which is why it was sending so much traffic. That said, it still sends an awful lot of traffic, from what I saw.
Now, that may not be so bad, except that it also gets a cookie with a unique crypto string that it sends back to the Google on each request so that Google can send it back a portion of the encrypted anti-phishing/anti-malware lists. That cookie though, is the problem. The cookie is unique per browser. So let’s say an attacker has been using their browser for a while, and then an attacker hops on a wireless network a few miles away to do their hacking. The cookie is still phoning home to Google periodically. So if the company they’re hacking into gets the Feds to issue a warrant/court-order, Google can theoretically track the attacker back to their original IP address not just the one of the wireless. They do this by correlating the IP that attacked the company back to Google, seeing which cookie was used by that IP during that time frame and then looking at what other IP addresses that cookie used. So it becomes critical for an attacker to blow the cookie away not only when starting their new network connection with the wireless, but also when they tear it down again before starting a new one, if they want to remain anonymous.
Now, I could probably be convinced by people who claimed that this was just a side effect of how it is supposed to work. Sure, when you travel to Google again it is sending the same cookie, but it’s easier to use Google.com instead of safebrowsingbygoogle.com or something that wouldn’t have the additional privacy issues associated with sending this cookie when just normally using Google’s website. They already have google.com set up with load balancing and all the other snazzy stuff. Sure, I could believe all that. But here’s where I have a hard time believing it’s not for tracking.
When I started looking at Chrome I noticed two additional pieces of information that were being phoned home outside of Safe Browsing. This time, instead of it being 30 times an hour, it was more like once every 5 hours, which is still quite a bit if you ask me. The two extra pieces of data were “machineid” and “userid” - both computed information based on machine/user information. This information is sent along with a bunch of other browser information to ask Google if they should download an update. Now here’s the real question: why would Google need to know my machineid and userid to give me an update - wouldn’t the version number of my browser be enough to make that decision? I just can’t believe this isn’t used for tracking. There’s no more plausible deniability. What a perfect way to spy on people too… use their own browser against them in the name of security.