Since the googleupdate tool which silently ships with google chrome is hardly under criticism, I searched for a way to install google chrome without the update.

Google itself provides an installer which ships without googleupdate. Make sure you have uninstalled google chrome and killed and disabled the updater in msconfig and the scheduled tasks menu.

Auto-suggestions

Without googleupdate no kind of unique application number is send to google to allow them to track you. You may also want to deactivate the Auto-suggestions feature which sends a complete request to google when you type in your address bar.

Navigation error

Another option that talks back to google is the “Show suggestions for navigation errors” feature. It asks google about alternative websites when you try to visit a webpage that does not exist. You can deactivate it in the Options->Under the Hood menu.

Phishing and malware protection

And if your are really paranoid you may want to deactivate the “phishing and malware protection”. You can also find this option in the Options->Under the Hood menu. But be sure you have read this article since the malware protection does not allow any tracking of visited sites.

EULA problems

The internet is full of articles concerning the following part of the google chrome EULA:

You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services.By submitting, posting or displaying the content, you give Google a perpetual, irrevocable, worldwide, royalty-free and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content that you submit, post or display on or through the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

As you can read in this news post google has admitted that this is a really bad failure. And it will be changed soon.

Update: As moeffju just commented, google has updated chrome’s EULA.

RLZ.dll

Emiraga found another strange code passage in the google chrome code. It is an interface to the RLZ.dll which ships with the google chrome version. Since the source code of rlz.dll is unknown and it seems to be used to record and send “certain lifetime events” you may want to disable it.

Chrome does not depend on this DLL file, so emiraga suggests to look for this file with the search function of Windows and delete it. (You have to close chrome first). You may not have this file when you installed chrome via the offline installer.

I don’t know what information is integrated in these RLZ reports, it may be harmless, but since it is closed source you cannot be sure.

The silent Chrome Browser

Well with these simple options your browser is even more silent than his colleagues Firefox or Internet Explorer. So you can give Chrome a try without bothering about privacy. You may also want to read my previous blog post about privacy in chrome.

Please feel free to comment if you have any suggestions or any doubts regarding the remaining communications of google chrome.

Sources:

• http://www.winmatrix.com/forums/index.php?showtopic=19868
• http://www.google.com/chrome/intl/en/privacy.html
• http://www.mattcutts.com/blog/google-chrome-communication/

I had many discussions this day about the privacy policy of google chrome. The most arguments against chromes privacy policy are:

• The unique application number allows google to track me
• The auto completion sends every URL to google
• The  Phishing service sends every visited site to google
• The updater searches for your e-mail address and sends it to google

Well that’s a lot of stuff. But when you take a closer look at chromium most of these “arguments” expose as exaggerated. More details:

The unique application number

Sounds scary, but this number is only used during update checks. Chrome does not send this number with any other requests. Many programs that use automatic update checks use some kind of unique id to identify each program installation. Firefox does too.

This feature (the Automated Update Service) also sends Potentially Personal Information to Mozilla in the form of a cookie named “aus” that contains a unique numeric value to distinguish individual Firefox installs. Mozilla uses this information to provide you with updated versions of Firefox and to understand the usage patterns of Firefox users.

I pointed out the location of the application number in the registry here, but that the location was wrong, since it was part of the installer, not the updater. I am sorry for this. But there is a much simpler solution below.

Association with your IP (Update #2)

The unique application number is worthless on its own, since it does not contain any private information. But google could use the update check to associate your application number with your IP-address. This mapping alone is worthless too but when combined with existing information databases such as search logs or website statistics this whould make it possible to determine the application number behind these IPs.

But I personally don’t think that this information would lead to statistically relevant data. Since dynamic IP addresses are common practice it will be hard to determine the time frame in which the IP-to-application-number-mapping is valid. The updater checks for updates about once a day, it does not try to update on chrome start-up. That means that google could see once a day which application number this IP is using. But it cannot be sure if the IP address is used by any other consumer half an hour later. Small and imprecise statistics are not worth anything, so i doubt that google will try to use these informations.

Solution

Well since this is not a Chrome, but a google updater problem the easiest solution is to uninstall google chrome, and install it again using the offline installer which does not contain the updater.

Auto completion via google.com

Well for some people this is a nice feature. But this implies that everything you type into the address bar is sent to google.com. Gladly you can deactivate this feature in the Search Engine Options Menu. Some people say that Chrome will continue sending you address bar entries (german), but I have not observed any auto complete packages after deactivating the feature.

The anti-phishing service

The  anti-phishing service uses the same technique as Firefox3. It frequently downloads a list of potential dangerous sites and checks your visited sites against this list. When you visit a potential dangerous site the Browser sends a request to google which contains a hashed value of the visited website. This ensures that the website is really listed, because your local list may be outdated. Using a hash value leaves no possibility for google to get any private information about your visited sites.

The updater and mail-addresses (Updated)

Some people have observed their mail address transferred to google (german). I wanted to test that for myself and the only thing that was transferred via my googleupdater service is my application id. I cannot confirm the transfer of private data over the google updater, but it still remains suspicious.

Digging into the code and talking with some chromium developer, the most obvious reason for this is that the users declared their address as feedback address. There is not indication for Chrome searching for your mail address and sending it back to google.

What remains? And how do I get rid of that?

You may want to look at my next blog post, which describes how to configure chrome to be silent.

Sources: Chromium Source Code
Google Chrome privacy policy
Google Chrome communication

Additionaly I watched the traffic using wireshark, to see what chrome is sending back to google.