The browser you likely use to read this article scans practically all files on your Windows computer. And you probably had no idea until you read this. Don’t worry, you’re not the only one.
Last year, Google announced some upgrades to Chrome, by far the world’s most used browser—and the one security pros often recommend. The company promised to make internet surfing on Windows computers even “cleaner” and “safer ” adding what The Verge called “basic antivirus features.” What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.
Tensions around the issue of digital privacy are understandably high following Facebook's Cambridge Analytica scandal, but as far as we can tell there is no reason to worry here, and what Google is doing is above board.
In practice, Chome on Windows looks through your computer in search of malware that targets the Chrome browser itself using ESET’s antivirus engine. If it finds some suspected malware, it sends metadata of the file where the malware is stored, and some system information, to Google. Then, it asks you to for permission to remove the suspected malicious file. (You can opt-out of sending information to Google by deselecting the “Report details to Google” checkbox.)
A screenshot of the Chrome pop-up that appears if Chrome Cleanup Tool detects malware on your Windows computer.
Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer.
“In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation—even just to preemptively ease speculation,” Shortridge told me in an online chat. “Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of ‘user-friendly software’ that informs the policy for Chrome Cleanup [Tool].”
Her tweet got a lot of attention and caused other people in the infosec community—as well as average users such as me—to scratch their heads.
“Nobody likes surprises,” Haroon Meer, the founder at security consulting firm Thinkst, told me in an online chat. “When people fear a big brother, and tech behemoths going too far…a browser touching files it has no business to touch is going to set off alarm bells.”
Now, to be clear, this doesn’t mean Google can, for example, see photos you store on your windows machine. According to Google, the goal of Chrome Cleanup Tool is to make sure malware doesn’t mess up with Chrome on your computer by installing dangerous extensions, or putting ads where they’re not supposed to be.
Read more: The Motherboard Guide to Not Getting Hacked
As the head of Google Chrome security Justin Schuh explained on Twitter, the tool’s “sole purpose is to detect and remove unwanted software manipulating Chrome.” Moreover, he added, the tool only runs weekly, it only has normal user privileges (meaning it can’t go too deep into the system), is “sandboxed” (meaning its code is isolated from other programs), and users have to explicitly click on that box screenshotted above to remove the files and “cleanup.”
In other words, Chrome Cleanup Tool is less invasive than a regular “cloud” antivirus that scans your whole computer (including its more sensitive parts such as the kernel) and uploads some data to the antivirus company’s servers.
But as Johns Hopkins professor Matthew Green put it, most people “are just a little creeped out that Chrome started poking through their underwear drawer without asking.”
That’s the problem here: most users of an internet browser probably don’t expect it to scan and remove files on their computers.
When reached out for comment, a Google spokesperson redirected me to the blog post from last year and Schuh’s tweets.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
A section in Chrome’s Privacy Whitepaper explains that “Chrome periodically scans your device to detect potentially unwanted software.” That exact language has been there since at least January of 2017, according to archived versions of the whitepaper. And similar language (“Chrome scans your computer periodically for the sole purpose of detecting potentially unwanted software”) has been there for even longer.
Martijn Grooten, the editor of Virus Bulletin and organizer of one of the premiere antivirus conferences in the world, told me in a Twitter chat that the behavior of the Chrome Cleanup Tool was “sensible.”
“For almost all users, this seems really harmless, and for those who are extremely concerned about Google seeing some metadata, maybe they shouldn't be running Google's browser in the first place,” he said.
This story has been updated to include a quote from Kelly Shortridge.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.