A hot potato: If you are using a browser based on the Chromium open-source codebase – a group that includes Google Chrome, Microsoft Edge, Opera and Brave – you should be aware that a preinstalled extension is sending information about your CPU and GPU usage, as well as other data, to Google when you visit a Google domain. Google has a plausible explanation for the API's existence, but it is likely this news will raise hackles with the European Commission, which is already investigating Google for potential violations of its Digital Markets Act.
An API provided by a preinstalled extension called "hangout_services" in Chromium browsers is quietly sending information about users' CPU and GPU usage to Google when visiting Google websites, according to Luca Casonato, a Netherlands-based developer of JavaScript Registry and Deno.
It is also providing information about memory usage on the system and on tabs, as well as more detailed processor information and a back channel for logging, Casonato said. He noted that the APIs that enable this are not open to other websites and are only used by Google on its own sites.
For the uninitiated, Chromium is primarily developed and maintained by Google and provides the core codebase for many popular browsers, including Google Chrome, Microsoft Edge, Opera and Brave.
Non-Chromium browsers like Firefox don't have this extension, potentially putting them at a disadvantage when it comes to performance on Google sites. In addition, websites competing with Google cannot access this Chromium API, which raises concerns about potential violations of the EU's Digital Markets Act (DMA).
So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.
– Luca Casonato ð³ï¸Âð (@lcasdev) July 9, 2024
This API is not exposed to other sites - only to *.google.com.
For example, it is possible this API could give Google services like Google Meet an unfair advantage over competitors like Zoom. In fact, one of the explanations a Google employee has made for the API is that it is used to optimize video and audio performance on their websites, particularly for services like Google Meet.
That was also the message from a Google spokesperson speaking to The Register. "Today, we primarily use this extension for two things: To improve the user experience by optimizing configurations for video and audio performance based on system capabilities [and] provide crash and performance issue reporting data to help Google services detect, debug, and mitigate user issues."
If things get really sticky for Google, there are other explanations it could make, like arguing that this is a standard part of the browser's functionality, as it's implemented through a preinstalled extension.
As for the API being only accessible to Google domains, Google could well position this as a security measure to prevent misuse by third parties.
Meanwhile, the European Commission is already investigating Google, along with Meta and Apple, for potential DMA violations, and this API could potentially factor into those investigations. Almost surely, the quiet collection of user data without explicit consent would likely be seen as a violation of privacy principles. Moreover, the EU has been pushing for greater digital sovereignty, so data being sent to a US-based company without user knowledge could be a red flag for the commission.